Information recording device, information playback device, information recording method, information playback method, and information recording medium and program providing medium used therewith

ABSTRACT

An information recording/playback device stores beforehand, on a recording medium, secret information in which a writing/reading method thereof cannot be analyzed and which can be read only by a special reading method. The secret information is applied to a key for content encryption or decryption when performing recording or playback of contents on the recording medium, such as music data and image data. The secret information is, for example, a stamper ID. By using the stamper ID as secret information, and a master key and a media key which are distributed in a tree-structure key-distribution system, a content-cryptosystem key is generated. Accordingly, each content is allowed to be used in only an appropriate device in which the special reading method for the secret information can be executed and to which the key is distributed by the tree-structure key-distribution system.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to information recording devices,information playback devices, information recording methods, informationplayback methods, and information recording media and program providingmedia used therewith. In particular, the present invention relates to aninformation recording device, an information playback device, aninformation recording method, and an information playback method inwhich, by using tree-structure, hierarchical key distribution to reducethe number of messages, reductions can be achieved in a datadistribution load which is generated when a key such as master key ormedia key is updated, and in which by using, as data for generating acontent-encryption key, secret information capable of being read only inspecial data-reading processing different from content-readingprocessing, the security of contents can be improved.

Specifically, the present invention relates to an information recordingdevice, an information playback device, an information recording method,and an information playback method in which, by using a key distributionmethod in which recording/playback devices are arranged as leaves of ann-ary tree so that the key (master key or media key) required forrecording/playback of content data on a recording medium can bedistributed by recording medium or communication link, eachrecording/playback device uses the key to perform the recording andplayback of the content data, and stores secret information, such asstamper ID, on a content storage disk for content recording/playback sothat the device performs a specified playback process to obtain thesecret information and generates a content-encryption key based on thesecret information. The present invention also relates to an informationrecording medium and a program providing medium which are used with theinformation recording device, the information playback device, theinformation recording method, and the information playback method.

2. Description of the Related Art

With the progress and development in digital signal processingtechnology, the use of recording devices and recording media for digitaldata recording has become widespread in recent years. By using therecording devices and recording media, images and sound can be recordedand played back repeatedly without a deterioration in quality. In thismanner, digital data can be repeatedly copied, while maintaining imageand sound quality. Accordingly, if illegally copied recording media aredistributed in the market, the profits to copyright holders for varioustype contents, such as music and movies, or appropriate dealershipowners decrease. Nowadays, to prevent such unauthorized copying ofdigital data, various mechanisms (systems) are being incorporated intodigital recording devices and recording media.

By way of example, the Serial Copy Management System (SCMS) is employedin Minidisk (MD) (trademark) devices as a method of preventingunauthorized copying. In the SCMS, a data playback side outputs an SCMSsignal with audio data from a digital interface, and the data recordingside controls, based on the SCMS signal, recording of the audio datafrom the data playback side so that unauthorized copying can beprevented.

Specifically, the SCMS signal represents an audio data type among “CopyFree” type in which the audio data may be copied any number of times,“Copy Once Allowed” type in which copying the audio data can beperformed only once, and “Copy Prohibited” type in which the copying ofthe audio data is prohibited. When receiving the audio data from thedigital interface, the data recording side detects the SCMS signal whichis transmitted with the audio data. When the SCMS signal receivedrepresents the Copy Free type, the data recording side records the audiodata on the Minidisk with the SCMS signal. When the SCMS signalrepresents the Copy Once Allowed type, the data recording side recordsthe audio data on the Minidisk after changing the type of the audio datato the Copy Prohibited type. When the SCMS signal represents the CopyProhibited type, the data recording side does not record the audio data.By using SCMS control, the Minidisk device prevents copyrighted audiodata from being illegally copied.

However., it is difficult for the SCMS to cope with a case in which aMinidisk device having no mechanism for performing SCMS control isproduced because the SCMS is based on the condition that a datarecording device itself must have the above structure for performingcontrol based on an SCMS signal of the recording of audio data from theplayback side. Accordingly, for example, digital versatile disk (DVD)players use a content scramble system to prevent copyrighted data frombeing illegally copied.

In the content scramble system, video data, audio data, etc., arerecorded in a DVD-ROM in encrypted form, and a key (decryption key) fordecrypting the encrypted data is given to a licensed DVD player. Thelicense is given to a DVD player designed to obey predeterminedoperation rules such as not performing unauthorized copying.Accordingly, the licensed DVD player can play back images and sound fromthe DVD-ROM by using the given key to decrypt the encrypted data in theDVD-ROM.

Conversely, an unlicensed DVD player cannot decrypt the encrypted datain the DVD-ROM because it does not have the key for decrypting theencrypted data. In the scramble system, a DVD player that does not meetthe conditions required for licensing is not allowed to play back aDVD-ROM containing digital data, thereby preventing unauthorizedcopying.

Nevertheless, the content scramble system employed in the DVD-ROM isdirected to recording media (hereinafter referred to also as “ROMmedia”) in which data writing by the user is impossible. The contentscramble system cannot be applied to an application to recording media(hereinafter referred to also as “RAM media”) in which data writing bythe user is possible.

In other-words, if data contained in ROM media is encrypted, unalteredcopying of the entire encrypted data to RAM media makes it possible tocreate a so-called “pirated edition” which can be played back by alicensed device.

Accordingly, the assignee of the present Application has filed JapanesePatent Application No. 10-25310 (Japanese Unexamined Patent ApplicationPublication No. 11-224461) for a construction in which by recording, ona recording medium, information (hereinafter referred to as “mediumidentification information”) for identifying each recording medium withother data, and using a condition that a device for use is licensedabout the medium identification information, only when the condition ismet does the device access the medium identification information on therecording medium.

In this construction, data on the recording medium is encrypted usingthe medium identification information and a secret key (master key)obtained when the apparatus is licensed. If an unlicensed device hasread the encrypted data, it cannot obtain semantic data. When the deviceis licensed, its operations are regulated so that it is unable toperform unauthorized reproduction (illegal copying).

The unlicensed device is not allowed to access the medium identificationinformation, and the medium identification information has a uniquevalue for each recording medium. Thus, if the unlicensed device hascopied all of the encrypted data on a new recording medium, theencrypted data on the new recording medium cannot be correctly decryptednot only by the unlicensed device but also by even the licensed device.Therefore, illegal copying is substantially prevented.

In the above construction, in general, a common master key is stored inall licensed devices. This is because the storing of the common masterkey in the devices is the condition required for a recording mediumhaving data recorded by one device to be played back by other devices(interoperability is ensured).

However, in this construction, if an attacker has succeeded in attackingone device and has extracted the master key, the attacker can decryptthe encrypted data contained in the entire system, so that the entiresystem may collapse. To prevent this situation, when it is detected thata device has been attacked and the master key exposed, the master keymust be updated, and the updated master key must be given to all of theother devices. Concerning a simplest method for implementing thistechnique, it is possible to perform provision of unique keys (devicekeys) for a plurality of device, preparation of values which areencrypted using the device keys, and sending of the values by recordingmedium. In this case, the amount of all messages to be sent increases inproportion to the number of devices.

To solve this problem, the assignee of the present Application hasalready filed a Japanese Patent Application regarding a construction inwhich, by using a key distribution method in which informationrecording/playback devices are arranged as leaves of an n-ary tree, anddistributing by a recording medium or communication link, the key(master key or media key) required for recording/playback of contentdata on the recording medium so that each device can record or play backthe content data, the master key or the media key can be sent using asmall number of messages to the appropriate device without exposingsecret information. Specifically, in this construction, each device canobtain the key required for recording/playback of information on/fromthe recording medium by setting, as an updating node key, the keyrequired for generating the key required for recording/playback ofinformation on the recording medium (e.g., a node key assigned for eachleaf of the n-ary tree), distributing to each informationrecording/playback device an enabling key block including informationgenerated by encrypting the updating node key using a leaf key and thenode key possessed only by an appropriate device so that the informationcan be decrypted, and performing enabling-key-block decryption in eachinformation recording/playback device when it receives the enabling keyblock.

The security of the above construction is based on that an encryptionkey given to the information recording/playback device, and the mediakey for use in encryption/decryption processing in recording/playback ofdata on the recording medium are not exposed. Accordingly, there is noproblem if the media key is prevented from being exposed. However,exposure of the media key, which must be kept secret, significantlyaffects the system.

SUMMARY OF THE INVENTION

To solve the foregoing problems, it is an object of the presentinvention to provide an information recording device, an informationplayback device, an information recording method, and an informationplayback method in which in an ordinary data reading technique, by usingsecret information written so that its data cannot be analyzed, as datafor generating a key used for encryption/decryption processing inrecording/playback of data on a recording medium, unauthorized use of acontent is prevented, and in which high-level security is maintained bygreatly reducing a possibility of leakage of various data used inencryption/decryption processing in recording/playback. The object ofthe present invention is also to provide an information recording mediumand a program providing medium which are used with the informationrecording device and method and the information playback device andmethod.

To this end, according to a first aspect of the present invention, thereis provided an information recording device for recording information ona recording medium, including a cryptosystem unit for executingencryption processing on data to be stored on the recording medium, anda secret-information decoding unit for reading secret information storedon the recording medium by executing a special data-reading processwhich is different from a process of reading content data stored on therecording medium. The cryptosystem unit generates a content-encryptionkey by using, as a key-generating data, the secret information which isdecoded after being read from the recording medium, and executes, basedon the content-encryption key, the encryption processing on the data tobe stored.

Preferably, the secret information includes a type of data among astamper ID which is stored on the recording medium when the recordingmedium is produced and which is common to a plurality of recordingmedia, a disk ID which is unique to each of the recording media, acontent ID which is differently set for each content, and a cryptosystemkey, and the secret-information decoding unit executes a decodingprocess on the read data.

The cryptosystem unit may use the read secret information to generatethe content-encryption key, and the read secret information may beallowed to be used only in the generation of the content-encryption keywhich is executed in the cryptosystem unit, without being stored instorage unit which is readable from the outside of the informationrecording device.

The information recording device may possess node keys which are uniqueto nodes constituting a hierarchical tree structure having a pluralityof different information recording devices as leaves. The cryptosystemunit may generate the content-encryption key based on the read secretinformation and encryption-key-generating data which is stored in theinformation recording device. The encryption-key-generating data may beupdated by using an enabling key block generated such that a node key isencrypted by using a key including at least one of a node key and a leafkey which are positioned at a lower level.

The encryption-key-generating data may be one of a master key common toa plurality of information recording devices and a media key unique to aspecified recording medium.

The encryption-key-generating data may correspond to a generation numberas updating information, and when storing encrypted data on therecording medium, the cryptosystem unit may store on the recordingmedium the generation number of the encryption-key-generating data as arecording-mode generation number.

The information recording device may further include a transport-streamprocessing unit for adding an arrival time stamp to each of transportpackets constituting a transport stream. The cryptosystem unit maygenerate a block key as an encrypted key for block data composed of atleast one transport packet to which the arrival time stamp is added. Inencryption of the data to be stored on the recording medium, thecryptosystem unit may generate a block key as an encryption key based ondata including the secret information, the encryption-key-generatingdata, and a block seed as additional information which includes thearrival time stamp and which is unique to the block data.

The secret-information decoding unit may be structured to executedecoding processing on data which is stored on the recording medium byusing a binary sequence to disturb a string of bits constituting thesecret information. The secret-information decoding unit may executedecoding processing of the secret information by generating the binarysequence and executing arithmetic processing using the generated binarysequence and a playback signal from the recording medium.

The secret-information decoding unit may read, from the recordingmedium, data which is recorded in a form converted in a predeterminedmanner from the secret information in units of a plurality of bitsconstituting the secret information, and may execute decoding processingon the secret information by converting the read data again.

According to a second aspect of the present invention, there is providedan information playback device for playing back information recorded ona recording medium, which includes a cryptosystem unit for executingdecryption processing on data read from the recording medium, and asecret-information decoding unit for reading secret information storedon the recording medium by executing a special data-reading processwhich is different from a process of reading content data stored on therecording medium. The cryptosystem unit generates a content-decryptionkey by using, as a key-generating data, the secret information which isdecoded after being read from the recording medium, and executes, basedon the content-decryption key, the decryption processing on the readdata.

Preferably, the secret information includes a type of data among astamper ID which is stored on the recording medium when the recordingmedium is produced and which is common to a plurality of recordingmedia, a disk ID which is unique to each of the recording media, acontent ID which is differently set for each content, and a cryptosystemkey, and the secret-information decoding unit executes a decodingprocess on the read data.

The cryptosystem unit may use the read secret information to generatethe content-decryption key, and the read secret information may beallowed to be used only in the generation of the content-decryption keywhich is executed in the cryptosystem unit, without being stored instorage unit which is readable from the outside of the informationrecording device.

The information recording device may possess node keys which are uniqueto nodes constituting a hierarchical tree structure having a pluralityof different information recording devices as leaves. The cryptosystemunit may generate the content-encryption key based on the read secretinformation and decryption-key-generating data which is stored in theinformation recording device. The decryption-key-generating data may beupdated by using an enabling key block generated such that a node key isencrypted by using a key including at least one of a node key and a leafkey which are positioned at a lower level.

The decryption-key-generating data may be one of a master key common toa plurality of information recording devices and a media key unique to aspecified recording medium.

The decryption-key-generating data may correspond to a generation numberas updating information, and when storing encrypted data on therecording medium, the cryptosystem unit may store on the recordingmedium the generation number of the decryption-key-generating data as arecording-mode generation number.

The information playback device may further include a transport-streamprocessing unit for adding an arrival time stamp to each of transportpackets constituting a transport stream. The cryptosystem unit maygenerate a block key as an encrypted key for block data composed of atleast one transport packet to which the arrival time stamp is added, andin decryption of the data to be stored on the recording medium, thecryptosystem unit may generate a block key as a decryption key based ondata including the secret information, the decryption-key-generatingdata, and a block seed as additional information which includes thearrival time stamp and which is unique to the block data.

The secret-information decoding unit may be structured to executedecoding processing on data which is stored on the recording medium byusing a binary sequence to disturb a string of bits constituting thesecret information, and the secret-information decoding unit may executedecoding processing of the secret information by generating the binarysequence and executing arithmetic processing using the generated binarysequence and a playback signal from the recording medium.

The secret-information decoding unit may read, from the recordingmedium, data which is recorded in a form converted in a predeterminedmanner from the secret information in units of a plurality of bitsconstituting the secret information, and may execute decoding processingon the secret information by converting the read data again.

According to a third aspect of the present invention, there is providedan information recording method for recording information on a recordingmedium, which includes a secret-information decoding step which readssecret information stored on the recording medium by executing a specialdata-reading process which is different from a process of readingcontent data stored on the recording medium, and a cryptosystem stepwhich generates a content-encryption key by using, as a key-generatingdata, the secret information which is decoded after being read from therecording medium in the secret-information decoding step, and executes,based on the content-encryption key, the encryption processing on thedata to be stored.

The secret information may include a type of data among a stamper IDwhich is stored on the recording medium when the recording medium isproduced and which is common to a plurality of recording media, a diskID which is unique to each of the recording media, a content ID which isdifferently set for each content, and a cryptosystem key, and thesecret-information decoding unit may execute a decoding process on theread data.

The cryptosystem step may include a step which uses the read secretinformation to generate the content-encryption key, and the read secretinformation is allowed to be used only in the generation of thecontent-encryption key which is executed in the cryptosystem step,without being stored in storage unit which is readable from the outsideof the information recording device.

The cryptosystem step may include a step which generates thecontent-encryption key based on the read secret information andencryption-key-generating data which is stored in the informationrecording device, and the encryption-key-generating data may be updatedby an enabling key block generated such that in a hierarchical treestructure having a plurality of different information recording devicesas leaves, branches as nodes, and unique keys set for the leaves and thenodes, a node key is encrypted by using a key including at least one ofa node key and a leaf key which are positioned at a lower level.

The encryption-key-generating data may be one of a master key common toa plurality of information recording devices and a media key unique to aspecified recording medium.

The encryption-key-generating data may correspond to a generation numberas updating information, and when storing encrypted data on therecording medium, the cryptosystem step may store on the recordingmedium the generation number of the encryption-key-generating data as arecording-mode generation number.

The information recording method may further include a transport-streamprocessing step for adding an arrival time stamp to each of transportpackets constituting a transport stream. The cryptosystem step mayinclude a step which generates a block key as an encrypted key for blockdata composed of at least one transport packet to which the arrival timestamp is added, and in encryption of the data to be stored on therecording medium, the cryptosystem step may generate a block key as anencryption key based on data including the secret information, theencryption-key-generating data, and a block seed as additionalinformation which includes the arrival time stamp and which is unique tothe block data.

The secret-information decoding step may include a step which executesdecoding processing on data which is stored on the recording medium byusing a binary sequence to disturb a string of bits constituting thesecret information, and the secret-information decoding step may executedecoding processing of the secret information by generating the binarysequence and executing arithmetic processing using the generated binarysequence and a playback signal from the recording medium.

The secret-information decoding step may read, from the recordingmedium, data which is recorded in a form converted in a predeterminedmanner from the secret information in units of a plurality of bitsconstituting the secret information, and may execute decoding processingon the secret information by converting the read data again.

According to a fourth aspect of the present invention, there is providedan information playback method for playing back information from arecording medium, which includes a secret-information decoding stepwhich reads secret information stored on the recording medium byexecuting a special data-reading process which is different from aprocess of reading content data stored on the recording medium, and adecryption step which generates a content-decryption key by using, as akey-generating data, the secret information which is decoded after beingread from the recording medium in the secret-information decoding step,and executes, based on the content-decryption key, the decryptionprocessing on the read data.

Preferably, the secret information includes a type of data among astamper ID which is stored on the recording medium when the recordingmedium is produced and which is common to a plurality of recordingmedia, a disk ID which is unique to each of the recording media, acontent ID which is differently set for each content, and a cryptosystemkey, and the secret-information decoding step executes a decodingprocess on the read data.

The decryption step may include a step which uses the read secretinformation to generate the content-decryption key, and the read secretinformation may be allowed to be used only in the generation of thecontent-decryption key which is executed in the cryptosystem unit,without being stored in storage unit which is readable from the outsideof the information recording device.

The decryption step may include a step which generates thecontent-decryption key based on the read secret information anddecryption-key-generating data which is stored in the informationrecording device, and the decryption-key-generating data may be updatedby an enabling key block generated such that in a hierarchical treestructure having a plurality of different information recording devicesas leaves, branches as nodes, and unique keys set for the leaves and thenodes, a node key is encrypted by using a key including at least one ofa node key and a leaf key which are positioned at a lower level.

The decryption-key-generating data may be one of a master key common toa plurality of information playback devices and a media key unique to aspecified recording medium.

The decryption-key-generating data may correspond to a generation numberas updating information, and when storing encrypted data on therecording medium, the decryption step may store on the recording mediumthe generation number of the decryption-key-generating data as arecording-mode generation number.

The information playback method may further include a transport-streamprocessing step for adding an arrival time stamp to each of transportpackets constituting a transport stream. The decryption step may includea step which generates a block key as an encryption key for block datacomposed of at least one transport packet to which the arrival timestamp is added, and in playback of the data to be stored on therecording medium, the decryption step may generate a block key as adecryption key based on data including the secret information, thedecryption-key-generating data, and a block seed as additionalinformation which includes the arrival time stamp and which is unique tothe block data.

The secret-information decoding step may include a step which executesdecoding processing on data which is stored on the recording medium byusing a binary sequence to disturb a string of bits constituting thesecret information, and the secret-information decoding step may executedecoding processing of the secret information by generating the binarysequence and executing arithmetic processing using the generated binarysequence and a playback signal from the recording medium.

The secret-information decoding step may read, from the recordingmedium, data which is recorded in a form converted in a predeterminedmanner from the secret information in units of a plurality of bitsconstituting the secret information, and may execute decoding processingon the secret information by converting the read data again.

According to a fifth aspect of the present invention, there is providedan information recording medium containing secret information which canbe played back only by executing a special data-reading processdifferent from an ordinary data-reading process, and an encryptedcontent which can be decrypted by using a cryptosystem key which can begenerated by using the secret information.

Preferably, the secret information includes a type of data among astamper ID common to a plurality of recording media, a disk ID which isunique to each of the recording media, a content ID which is differentlyset for each content, and a cryptosystem key.

According to a sixth aspect of the present invention, there is provideda program providing medium for providing a computer program whichcontrols a computer system to execute information-recording processingfor recording information on a recording medium. The computer programincludes a secret-information decoding step which reads secretinformation stored on the recording medium by executing a specialdata-reading process which is different from a process of readingcontent data stored on the recording medium, and a cryptosystem stepwhich generates a content-encryption key by using, as a key-generatingdata, the secret information which is decoded after being read from therecording medium in the secret-information decoding step, and executes,based on the content-encryption key, the encryption processing on thedata to be stored.

According to a seventh aspect of the present invention, there isprovided a program providing medium for providing a computer programwhich controls a computer system to execute information-playbackprocessing for playing back information stored on a recording medium.The computer program includes a secret-information decoding step whichreads secret information stored on the recording medium by executing aspecial data-reading process which is different from a process ofreading content data stored on the recording medium, and a decryptionstep which generates a content-decryption key by using, as akey-generating data, the secret information which is decoded after beingread from the recording medium in the secret-information decoding step,and executes, based on the content-decryption key, the decryptionprocessing on the read data.

Each of the program providing media according to the sixth and seventhaspects of the present invention provides a computer program in acomputer-readable form to a general-purpose computer system which canexecute various program codes. The form of the recording medium is notparticularly limited, but may be a recording medium such as compactdisk, floppy disk, or magneto-optical disk, or a transmission mediumsuch as a network.

This type of program providing medium defines a cooperative relationshipin structure and function between the computer program and the providingmedium for implementing on a computer system the functions of apredetermined computer program. In other words, by using the providingmedium to install the computer program in the computer system, thecomputer system exhibits cooperative operation, and operation andadvantages similar to those obtained in the other aspects of the presentinvention can be obtained.

According to the present invention, by storing beforehand, on arecording medium, a signal representing secret information in which areading/writing thereof cannot be analyzed and which can be read in aspecial reading method, the secret information is controlled to operateon content encryption or a cryptosystem key for decryption in the caseof recording or playing back contents such as music data and image data.Accordingly, only an appropriate device that can execute a specifiedreading method is allowed to perform the reading of the secretinformation and the generation of a content cryptosystem key, so that adevice that cannot execute the reading of the secret information can beeffectively prevented from performing content playback.

According to the present invention, secret information capable of beingread only by a special reading method is read only in an appropriatedevice that can execute a method of reading the secret information. Thesecret information is used for processing of generating a key forcontent cryptosystem processing which is performed under secureprotection in, for example, an cryptosystem unit which is included in anLSI and which execute the generation of a highly protected cryptosystemkey, so that the secret information is not stored in an externallyreadable memory. Therefore, there is no possibility that that secretinformation may leak, and unauthorized processing of content playbackcan be effectively prevented.

According to the present invention, by using a tree-structure keydistribution, updating data for a master key and a media key istransmitted with an enabling key block and a cryptographic key forcontent encryption and decryption is generated based on the transmittedmaster key and media key and secret information capable of being read ina special reading technique. Thus, each content may be used in anappropriate device which can execute the special reading technique onthe secret information and to which a key is distributed by thetree-structure key distribution.

According to the present invention, even if another cryptographic key isexposed, data which is stored as secret information on a recordingmedium can be safely protected. Also, unauthorized processing such asplayback is impossible, so that contents can be protected at a highsecurity level.

Further objects, features and advantages of the present invention willbecome apparent from the following description of the preferredembodiments with reference to the attached drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing an example of an informationrecording/playback device of the present invention;

FIG. 2 is a block diagram showing an example of an informationrecording/playback device of the present invention;

FIGS. 3A and 3B are flowcharts showing a process of recording a digitalsignal and a process of recording an analog signal;

FIGS. 4A and 4B are flowcharts showing reproduction processes in digitaland analog output modes;

FIG. 5 consists of illustrations of a data format processed in aninformation recording/playback device of the present invention;

FIG. 6 is a block diagram showing a transport stream processing unit inan information recording/playback device of the present invention;

FIGS. 7A, 7B, and 7C are illustrations of transport streams processed inan information recording/playback device of the present invention;

FIG. 8 is a block diagram showing a transport stream processing unit inan information recording/playback device;

FIG. 9 is a block diagram showing a transport stream unit in aninformation recording/playback device of the present invention;

FIG. 10 consists of illustrations of a block data as a block seed asadditional information of block data processed by an informationrecording/playback device of the present invention;

FIG. 11 is a tree structure chart illustrating encryption of keys asmaster key and media key for an information recording/playback device ofthe present invention;

FIGS. 12A and 12B ate charts showing enabling key blocks used fordistributing keys such as master key and media key to an informationrecording/playback device of the present invention;

FIG. 13 is an illustration of the distribution and decryption byenabling key block of a master key in an information recording/playbackdevice of the present invention;

FIG. 14 is a flowchart showing a process for decryption by enabling keyblock of a master key in an information recording/playback device of thepresent invention;

FIG. 15 is a flowchart showing a process for comparing the generationsof a master key in content recording processing in an informationrecording/playback device of the present invention;

FIG. 16 is a block diagram illustrating encryption in data recordingmode in an information recording/playback device of the presentinvention;

FIG. 17 is a block diagram illustrating encryption in data recordingmode in an information recording/playback device of the presentinvention;

FIG. 18 is a flowchart illustrating a data recording process in aninformation recording/playback device of the present invention;

FIGS. 19A and 19B are illustrations of the generation of disk uniquekeys in an information recording/playback device of the presentinvention;

FIG. 20 is an illustration of the position of an Encryption ModeIndicator stored in an IEEE 1394 packet for transmission which isprocessed in an information recording/playback device of the presentinvention;

FIG. 21 is a flowchart illustrating a process of determining which of acognizant mode and a non-cognizant mode should be used for executingcontent recording in an information recording/playback device of thepresent invention;

FIGS. 22A and 22B are illustrations of the generation of title uniquekeys in the recording of data in an information recording/playbackdevice of the present invention;

FIGS. 23A and 23B are illustrations of the generation of block keys inan information recording/playback device of the present invention;

FIG. 24 is a flowchart illustrating a process for generating a titleunique key in an information recording/playback device of the presentinvention;

FIG. 25 is a block diagram showing a modulation circuit applied to therecording of secret information such as stamper ID in an informationrecording/playback device of the present invention;

FIG. 26 is a block diagram showing a decryption processor used for thesecret information playback described using FIG. 25;

FIG. 27 consists of illustrations of recorded secret information such asstamper ID in an information recording/playback device of the presentinvention;

FIG. 28 is a block diagram showing a decryption unit for the secretinformation shown in FIG. 27;

FIG. 29 is a block diagram showing an example of an informationrecording/playback device of the present invention which stores acognizant key;

FIG. 30 is a block diagram showing an example of an informationrecording/playback device of the present invention which stores anon-cognizant key;

FIG. 31 is a block diagram showing a recording/playback device of thepresent invention in which decryption of content data in playback ofdata is performed;

FIG. 32 is a flowchart illustrating a data playback process in aninformation recording/playback device of the present invention;

FIG. 33 is a flowchart illustrating a detailed process of whether or notdata can be played back, which is performed in an informationrecording/playback device of the present invention;

FIG. 34 is a flowchart illustrating a process of generating a titleunique key in data playback in an information recording/playback deviceof the present invention;

FIG. 35 is an illustration of the distribution and decryption byenabling key block of a media key in an information recording/playbackdevice of the present invention;

FIG. 36 is a flowchart illustrating a process of decryption by enablingkey block of a media key in an information recording/playback device ofthe present invention;

FIG. 37 is a flowchart illustrating a process of content recording usinga media key in an information recording/playback device of the presentinvention;

FIG. 38 is a block diagram showing media-key-used encryption in datarecording;

FIG. 39 is a block diagram showing media-key-used encryption in datarecording;

FIG. 40 is a flowchart illustrating a data recording process using amedia key in an information recording/playback device of the presentinvention;

FIG. 41 is a block diagram showing media-key-used encryption in playbackof data which is performed in an information recording/playback deviceof the present invention;

FIG. 42 is a flowchart illustrating media-key-used playback of data inan information recording/playback device of the present invention;

FIG. 43 is a flowchart illustrating a detailed process in media-key-usedplayback of data, which determines whether or not data can be playedback in an information recording/playback device of the presentinvention;

FIGS. 44A and 44B are flowcharts illustrating copy-control processes inthe recording of data in an information recording/playback device of thepresent invention;

FIGS. 45A and 45B are flowcharts illustrating copy-control processes inthe playback of data in an information recording/playback device of thepresent invention;

FIG. 46 is a block diagram showing a processing structure used when dataprocessing is executed by software in an information recording/playbackdevice of the present invention;

FIG. 47 is a block diagram showing a producing apparatus that producesan information recording medium for use in an informationrecording/playback device of the present invention;

FIG. 48 is a flowchart illustrating a production process that producesan information recording medium for use in an informationrecording/playback device of the present invention;

FIG. 49 is an illustration of a format of an enabling key block used inan information recording/playback device of the present invention; and

FIG. 50 is an illustration of the structure of a tag in an enabling keyblock used in an information recording/playback device of the presentinvention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

System Configuration

FIG. 1 is a block diagram showing an embodiment of a recording/playbackdevice 100 to which the present invention is applied. Therecording/playback device 100 includes an input/output interface (I/F)120, an MPEG (Moving Picture Experts Group) codec 130, an input/outputI/F 140 including an analog-to-digital and digital-to-analog (A/D-D/A)converter 141, an cryptosystem unit 150, a read-only memory (ROM) 160, acentral processing unit (CPU) 170, a memory 180, a drive 190 for arecording medium 195, a transport-stream (TS) processing unit 300, and asecret-information decoding unit 500. These are connected to one anotherby a bus 110.

The input/output I/F 120 receives a digital signal representing variouscontents which are externally supplied, such as image, sound, andprogram, and outputs the received digital signal to the bus 110. Theinput/output I/F 120 also receives a digital signal on the bus 110 andoutputs the digital signal to the exterior. MPEG-encoded data which issupplied via the bus 110 is MPEG-decoded and output to the input/outputI/F 140 by the MPEG codec 130. Also, a digital signal which is suppliedfrom the input/output I/F 140 is MPEG-encoded and output to the bus 110by the MPEG codec 130. The input/output I/F 140 includes the A/D-D/Aconverter 141. The input/output I/F 140 receives an analog signal as anexternally supplied content, and outputs, to the MPEG codec 130, adigital signal obtained by using the A/D-D/A converter 141 to performanalog-to-digital conversion on the analog signal. The input/output I/F140 outputs to the exterior an analog signal obtained by using theA/D-D/A converter 141 to perform digital-to-analog conversion on adigital signal from the MPEG codec 130.

The cryptosystem unit 150 is formed by, for example, a single-chiplarge-scale integrated circuit (LSI). A digital signal as a contentsupplied via the bus 110 is encrypted or decrypted and output by thecryptosystem unit 150. The cryptosystem unit 150 is not limited to thesingle-chip LSI, but can be formed by combining various types ofsoftware or various types of hardware. The structure of a processingunit formed by software is described later.

The ROM 160 stores, for example, leaf keys, as device keys, which areunique to recording/playback devices or which are unique to groups ofrecording/playback devices, and node keys which are common to aplurality of recording/playback devices or to groups thereof. The CPU170 controls the MPEG codec 130, the cryptosystem unit 150, etc., byexecuting a program stored in the memory 180. The memory 180 is, forexample, a nonvolatile memory, and stores programs executed by the CPU170, and data required for the operation of the CPU 170. By driving therecording medium 195, to/from which digital data can be recorded/playedback, the drive 190 reads (plays back) and outputs digital data from therecording medium 195 to the bus 110, and supplies digital data suppliedvia the bus 110 so that the digital data is recorded on the recordingmedium 195. The device keys may be stored in the memory 180.

The recording medium 195 is a medium that can store digital data, forexample, an optical disk such as digital versatile disk (DVD) or compactdisk (CD), magneto-optical disk (MO), magnetic disk, magnetic tape, orsemiconductor memory such as RAM. In this embodiment, the recordingmedium 195 can be loaded/unloaded into/from the drive 190. However, therecording medium 195 may be built into the recording/playback device100.

The TS processing unit 300, which is fully described later withreference to FIG. 6 and the following drawings, performs data processingthat, after extracting transport packets corresponding to a specifiedprogram from a transport stream in which a plurality of TV programs(contents) are multiplexed, stores appearance-timing information of theextracted transport packets on the recording medium 195, with eachpacket, and appearance-timing-control processing in the mode of readingfrom the recording medium 195.

In the transport stream, an arrival time stamp (ATS) is set asappearance-timing information of each transport packet. This timing isdetermined in an encoding mode so as not to break a transport streamsystem target decoder (T-STD) which is a virtual decoder defined inMPEG-2. When the transport stream is played back, an arrival time stampthat is added to each transport packet controls the appearance timing.The TS processing unit 300 executes control of these steps. For example,for recording a transport packet on the recording medium 195, thetransport packet is recorded as a source packet in which intervals ofpackets are shortened. By recording the transport stream on therecording medium 195 with the appearance timing of each transportstream, the output timing of each transport packet can be controlled inplayback mode. When recording data on the recording medium 195 such asDVD, the TS processing unit 300 additionally records an arrival timestamp representing the input timing of each transport packet.

The recording/playback device 100 of the present invention executesencryption of a content composed of a transport stream to which thearrival time stamp is added, and the encrypted content is stored on therecording medium 195. The cryptosystem unit 150 executes decoding on theencrypted content which is stored on the recording medium 195. Thedetails of these processes are described later.

The secret-information decoding unit 500 is a processing unit thatexecutes the reading and decoding of secret information which can beread by performing a special reading process stored on the recordingmedium 195. The secret information stored on the recording medium 195includes, for example, a stamper ID set for each stamper in diskproduction, a disk ID differently set for each disk, a content IDdifferently set for each content, and various identification data andcryptographic keys, such as keys for use in cryptosystem processing.

The secret-information decoding unit 500 reads and decodes the secretinformation stored on the recording medium 195, and transfers thedecoded secret information to the cryptosystem unit 150. Thecryptosystem unit 150 uses the secret information to generate acryptographic key which is used when a content is recorded/read on/fromthe recording medium 195. The secret information, decoded by thesecret-information decoding unit 500, is used only when acontent-encryption key is generated in the cryptosystem unit 150,without being stored in a storage unit which is readable from theoutside of the recording/playback device 100, so that the secretinformation is prevented from leaking to the exterior.

The cryptosystem unit 150, the TS processing unit 300, and thesecret-information decoding unit 500 are shown as separate blocks forease of understanding. However, the units 150, 300, and 500 may beformed as one or a plurality of LSIs that execute the functions of theunits. Also, any of the functions may be implemented by combiningsoftware and hardware.

The construction shown in FIG. 2 can be used as an embodiment of arecording/playback device in addition to the construction shown inFIG. 1. In a recording/playback device 200 shown in FIG. 2, a recordingmedium 205 can be removably loaded into a recording medium interface(I/F) 210 as a drive unit, and data reading and writing can beperformed, even if the recording medium 205 is loaded into anotherrecording/playback device.

Data-Recording Process and Data Reading Process

Next, with reference to the flowcharts shown in FIGS. 3A to 4B, aprocess of recording data on the recording medium 195 and a process ofplayback of data from the recording medium 195 in the recording/playbackdevice 100 or 200 in FIG. 1 or 2 are described below.

When a digital-signal content from the exterior is recorded on therecording medium 195, a recording process in accordance with theflowchart shown in FIG. 3A is performed.

Specifically, a digital-signal content (digital content) is supplied tothe input/output I/F 120 via, for example, an IEEE (Institute ofElectrical and Electronic Engineers) 1394 serial bus or the like, instep S301, the supplied content is received and output to the TSprocessing unit 300 via the bus 110.

In step S302, the TS processing unit 300 generates block data in whichan arrival time stamp is added to each transport packet forming atransport stream, and outputs the block data to the cryptosystem unit150 via the bus 110.

In step S303, the cryptosystem unit 150 executes encryption processingon the received content, and outputs the obtained encrypted content tothe drive 190 or the recording medium I/F 210 via the bus 110. Theencrypted content is recorded (step S304) on the recording medium 195via the drive 190 or the recording medium I/F 210, and the recordingprocess ends. The encryption processing in the cryptosystem unit 150 isdescribed later.

Five companies including the assignee of the present Application, SonyCorporation, has established the Five Company Digital TransmissionContent Protection (hereinafter referred to as the “5CDTCP” or “DTCP”)system as a standard for protecting digital contents in a case in whichthe digital contents are transmitted between devices connected by anIEEE 1394 serial bus. In the DTCP, when a digital content having nocopy-free information is transmitted between devices, authenticationwhich determines whether or not copy-control information for copycontrol is properly treated is mutually performed before performing datatransmission. After that, the digital content is encrypted andtransmitted at a transmitting end, and the encrypted digital content(hereinafter referred to also as the “encrypted content”) is decryptedat the receiving end.

In data transmission/reception based on the DTCP standard, in step S301,the input/output I/F 120 at the data receiving end receives theencrypted content via the IEEE 1394 serial bus. After decrypting theencrypted content in accordance with the DTCP standard, the input/outputI/F 120 outputs the content as plaintext to the cryptosystem unit 150.

Digital content encryption based on the DTCP is performed by using atime-changing key after generating the key. The encrypted digitalcontent is transmitted on the IEEE 1394 serial bus, including a key usedfor the encryption, and at the receiving end, the encrypted digitalcontent is decrypted by using the key included therein.

According to the DTCP, accurately, an initial value of the key, and aflag representing timing of changing a key for use in encryption of thedigital content are included in the digital content. At the receivingend, by changing the initial value of the key included in the encryptedcontent, based on the timing of the flag included in the encryptedcontent, a key used for encryption is generated and the encryptedcontent is decoded. Here, it may be considered that the encryptedcontent is equivalent to a case in which a key for decrypting theencrypted content is included therein. Concerning the DTCP, on a Webpage specified by a uniform resource locator (URL) of, for example,http://www.dtcp.com, an information version can be obtained.

Next, with reference to the flowchart in FIG. 3B, a case in which ananalog signal content from the exterior is recorded on the recordingmedium 195 is described below.

When the analog signal content (hereinafter referred to also as the“analog content”) is supplied to the input/output I/F 140, in step S321,the input/output I/F 140 receives the analog content. In step S322, theinput/output I/F 140 generates a digital signal content (digitalcontent) by using the A/D-D/A converter 141 to perform analog-to-digitalconversion on the analog content.

The digital content is supplied to the MPEG codec 130. In step S323, theMPEG codec 130 performs MPEG encoding or encoding processing using MPEGcompression on the digital content, and supplies the encoded content tothe cryptosystem unit 150 via the bus 110.

After that, steps S324, S325, and S326 are performed identically tosteps S302, S303, and S304 in FIG. 3A. In other words, the addition ofan arrival time stamp to each transport packet by the TS processing unit300 and the encryption processing by the cryptosystem unit 150 areperformed. The resulted encrypted content is recorded on the recordingmedium 195, and the recording processing is terminated.

With reference to the flowcharts shown in FIGS. 4A and 4B, processing inwhich a content recorded on the recording medium 195 is played back andoutput as a digital content or an analog content is described below.

A process of outputting the content as a digital content to the exterioris executed as a playback process in accordance with the flowchart inFIG. 4A. Specifically, in step S401, the encrypted content recorded onthe recording medium 195 is read by the drive 190 or the recordingmedium I/F 210, and is output to the cryptosystem unit 150 via the bus110.

In step S402, the cryptosystem unit 150 performs decryption processingon the encrypted content supplied from the drive 190 or the recordingmedium I/F 210, and outputs the decrypted data to the TS processing unit300 via the bus 110.

In step S403, the TS processing unit 300 determines output timing fromthe arrival time stamp of each transport packet forming the transportstream, performs control in accordance with the arrival time stamp, andsupplies the transport packet to the input/output I/F 120 via the bus110. The input/output I/F 120 outputs the digital content from the TSprocessing unit 300 to the exterior and terminates the playbackprocessing. The processing of the TS processing unit 300 and thedigital-content decoding processing of the cryptosystem unit 150 aredescribed later.

In step S404, when outputting the digital content via the IEEE 1394serial bus, the input/output I/F 120 performs mutual authentication withanother device, as described above, and succeedingly transmits thedigital content in an encrypted form.

When the content recorded on the recording medium 195 is played back andoutput as an analog content to the exterior, a playback process inaccordance with the flowchart in FIG. 4 is performed.

Specifically, steps S421, S422, and S423 are performed identically tosteps S401, S402, and S403. These supply the MPEG codec 130 via the bus110 with the decoded digital content obtained in the cryptosystem unit150.

In step S424, the MPEG codec 130 performs MPEG decoding or decompressionprocessing on the digital content, and supplies the decompressed contentto the input/output I/F 140. In step S425, the input/output I/F 140generates an analog content by using the built-in A/D-D/A converter 141to perform digital-to-analog conversion on the MPEG-decoded digitalcontent. In step S426, the input/output I/F 140 outputs the analogcontent to the exterior and terminates the playback process.

Data Format

Next, with reference to FIG. 5, a data format on the recording medium195 in the present invention is described below.

In the present invention, a minimum unit for reading/writing datafrom/on the recording medium 195 is called a “block”. One block has asize of 192 by X bytes (e.g., X=32).

In the present invention, a 4-byte arrival time stamp is added to a188-byte transport stream packet in accordance with MPEG-2 so that thetotal size is 192 bytes, and X ATS-added transport stream packetsconstitute one block of data. An arrival time stamp is data of 24 to 32bits which represents an arrival time. An arrival time stamp is formedas random data in accordance with the arrival time of each packet. Inone block (sector) of the recording medium 195, X ATS-added transportstream packets are recorded. In the present invention, by using anarrival time stamp added to the first transport stream packet of eachblock forming a transport stream, a block key for encrypting the data ofthe block (sector) is generated.

By using the random arrival time stamp to generate the encryption blockkey, different unique keys for blocks are generated. The generated blockunique keys are used to perform encryption processing on blocks. Also,by employing the ATS-used generation of the block keys, the need for thearea of the recording medium 195 required for the encryption keys iseliminated, and a main data area can be effectively used. Thiseliminates the need for accessing data other than the main data in datarecording and reading modes, so that efficient processing can beperformed.

The block seed shown in FIG. 5 is additional information including thearrival time stamp. The block Seed may include not only the arrival timestamp but also copy control information (hereinafter referred to also as“CCI”). In this case, by using the arrival time stamp and the copycontrol information, each block key can be generated.

The copy control information included in the block seed, which isdescribed later, is copy control information proposed as a jointproposal of five enterprises by the DTCP system. The copy controlinformation reflects one of two types of information in accordance withdevice performance, namely, encryption mode indicator (EMI), andembedded CCI which is copy control information embedded in a content andwhich is applied to a format having a predetermined portion for sendingcopy control information.

In the present invention, when data is stored on a recording medium suchas a DVD, most of content data is encrypted, but first m bytes (e.g.,m=8 or 16) of the block are not encrypted and recorded as unencrypteddata, and the remaining data (byte m+1 or greater) is encrypted, as isindicated by the bottom image in FIG. 5. This is because encrypted datalength is restricted by performing the encryption processing in units ofeight bytes. If the encryption processing can be performed not in unitsof eight bytes but in units of one byte, all portions excluding theblock seed may be encrypted using m=4.

Processing by TS Processing Unit 300

The function of the arrival time stamp is described below.

As described above, the arrival time stamp is added in order to storethe appearance timing of each transport packet in an input transportstream.

Specifically, when one or more TV programs (contents) are extracted froma transport stream in which a plurality of TV programs (contents) aremultiplexed, transport stream packets constituting the transport streamappear irregularly (see FIG. 7A). In the transport stream, theappearance timing of each transport packet has important meaning. Theappearance timing is determined in encoding mode so as not to break atransport stream system target decoder (T-STD) which is a virtualdecoder defined in MPEG-2 (ISO/IEC 13818-1).

When the transport stream is played back, the appearance timing iscontrolled by the arrival time stamp added to each transport packet.Accordingly, when recording transport packets on the recording medium195, the input timing of each transport packet must be stored. Thus,when recording the transport packet on the recording medium 195, anarrival time stamp that represents the input timing of each transportpacket is additionally recorded.

FIG. 6 is a block diagram illustrating processing executed by the TSprocessing unit 300 when a transport stream input via a digitalinterface is recorded on a storage medium as the recording medium 195.From a terminal 600, a transport stream is input as digital data ofdigital broadcasting. In FIG. 1 or 2, the transport stream is input fromthe terminal 600 either via the input/output I/F 120 or via theinput/output I/F 140 and the MPEG codec 130.

The transport stream is input to a bit stream parser 602. The bit streamparser 602 detects a program clock reference (PCR) packet from the inputtransport stream. The PCR packet is such that PCR defined in MPEG-2 isencoded. The PCR packet is obtained by performing encoding at timeintervals of 100 milliseconds or less. The PCR represents a time atwhich a transport packet arrives at the receiving side, with precisionof 27 MHz.

In a 27-MHz phase-locked loop (PLL) 603, the 27-MHz clock signal of therecording/playback device is locked in the program clock reference ofthe transport stream. A time stamp generating circuit 604 generates atime stamp based on a count of clocks of the 27-MHz clock signal. Ablock seed adding circuit 605 uses a time stamp obtained when the firstbyte of a transport stream is input to a smoothing buffer 606, as anarrival time stamp, and adds the arrival time stamp to the transportstream.

The ATS-added transport packet passes through the smoothing buffer 606and is output from a terminal 607 to the cryptosystem unit 150. Afterthe ATS-added transport packet is encoded by the cryptosystem unit 150,the encoded transport packet is recorded on the recording medium 195 asa storage medium via the drive 190 (FIG. 1) or the recording medium I/F210 (FIG. 2).

FIGS. 7A to 7C show an example of a process performed when the inputtransport stream is recorded on the recording medium 195. FIG. 7A showsinput transport packets constituting a specified program (content),where the vertical axis is a time base indicating time on the transportstream. As shown in FIG. 7A, the input transport packets appear withirregular timing.

FIG. 7B shows an output from the block seed adding circuit 605. Theblock seed adding circuit 605 outputs source packets by adding, to eachtransport packet, a block seed including an arrival time stamprepresenting a time on the stream of the packets. FIG. 7C shows sourcepackets recorded on the recording medium 195. By recording the sourcepackets at shortened intervals as shown in FIG. 7C, the recording areaof the recording-medium 195 can be effectively used.

FIG. 8 shows a processing configuration of the TS processing unit 300 ina case in which the transport stream recorded on the recording medium195 is played back. An ATS-added transport packet, decoded by ancryptosystem unit (described later), is input from a terminal 800 to ablock seed separation circuit 801, and is separated into an arrival timestamp and a transport packet. A timing generating circuit 804 calculatesa time based on a clock counter value of a 27-MHz clock unit 805 of theTS processing unit 300 when it performs playback.

At the start of playback, the first arrival time stamp is set as aninitial value in a timing generating circuit 804. A comparator 803compares the arrival time stamp with the present time input from thetiming generating circuit 804. When the time generated by the timinggenerating circuit 804 is equal to the arrival time stamp, an outputcontrol circuit 802 outputs the transport packet to the MPEG codec 130or the input/output I/F 120.

FIG. 9 is a block diagram showing a case in which an input AV signal isMPEG-encoded by the MPEG codec 130 of the recording/reproducing unit100, and a transport stream is encoded by the TS processing unit 300.Accordingly, FIG. 9 is a block diagram showing a combination of the MPEGcodec 130 and the TS processing unit 300 in FIG. 1 or 2.

A video signal is input from a terminal 901 to an MPEG video encoder902.

The MPEG video encoder 902 encodes the input video signal to generate anMPEG video stream, and outputs the MPEG video stream to a video streambuffer 903. The MPEG video encoder 902 outputs access-unit informationon the MPEG video stream to a multiplex scheduler 908. An access unit isa picture, and the access-unit information is the picture type of eachpicture, an amount of encoded bits, and a decode-time stamp. The picturetype is I/P/B picture information. The decode-time stamp is informationdefined in MPEG-2.

An audio signal is input from a terminal 904 to an MPEG audio encoder905. The MPEG audio encoder 905 encodes the input audio signal togenerate an MPEG audio stream, and outputs the stream to an audio streambuffer 906. The MPEG audio encoder 905 also outputs access-unitinformation on the MPEG audio stream to the multiplex scheduler 908. Anaccess unit of an audio stream is an audio frame, and the access-unitinformation is an amount of encoded bits in each audio frame and adecode-time stamp.

Access-unit information on video and audio is input to the multiplexscheduler 908. Based on the input access-unit information, the multiplexscheduler 908 controls a method of encoding a video stream and an audiostream to generate transport packets. The multiplex scheduler 908includes a 27-MHz-precision clock generator for generating a referencetime, and determines packet-encoding control information for a transportpacket so as to satisfy a transport stream system target decoder as avirtual decoder model. The packet-encoding control information is a typeof a stream to be formed in packet and the length of a stream.

When the packet-encoding control information represents a video packet,a switch 976 connects to the side a, so that video data is read whichhas a payload data length designated by the packet-encoding controlinformation from the video stream buffer 903, and is input to atransport packet encoder 909.

When the packet-encoding control information represents an audio packet,the switch 976 connects to the side b, so that audio data is read whichhas a payload data length designated by the audio stream buffer 906, andis input to the transport packet encoder 909.

When the packet-encoding control information represents a program clockreference packet, the transport packet encoder 909 captures a programclock reference input from the multiplex scheduler 908, and outputs aprogram clock reference packet. When the packet-encoding controlinformation indicates that packet encoding is not performed, nothing isinput to the transport packet encoder 909.

When the packet-encoding control information indicates that packetencoding is not performed, the transport packet encoder 909 does notoutput any transport packet. In cases other than that, based on thepicture, the transport packet encoder 909 generates and outputstransport packets. Accordingly, the transport packet encoder 909intermittently outputs transport packets. Based on the program clockreference input from the multiplex scheduler 908, an arrival time stampcalculator 910 calculates, an arrival time stamp representing a time atwhich the first byte of the transport packet arrives at the receivingside.

The program clock reference input from the multiplex scheduler 908represents an arrival time at which the tenth byte of a transport packetdefined in MPEG-2 arrives at the receiving side. Thus, the value of thearrival time stamp is an arrival time of a byte that is positioned tenbytes before the time of the program clock reference.

A block-seed adding circuit 911 adds an arrival time stamp (ATS) to thetransport packet output from the transport packet encoder 909. TheATS-added transport packet which is output from the block-seed addingcircuit 911 passes through a smoothing buffer 912 to be input to thecryptosystem unit 150. After the input ATS-added transport packet isencrypted as described later, the encrypted ATS-added transport packetis recorded on the recording medium 195 as a storage medium.

Before being encrypted by the cryptosystem unit 150, the ATS-addedtransport packets to be recorded on the recording medium 195 are input,with the intervals of the packets shortened. After that, the encryptedATS-added transport packets are recorded on the recording medium 195.Even if transport packets are recorded with the intervals thereofshortened, a time at which the transport packets are input can becontrolled.

The length of an arrival time stamp is not limited to 32 bits, but maybe 24 to 31 bits. The longer the bit length of the arrival time stamp,the greater each cycle of a time counter for arrival time stamp. Forexample, when the time counter for arrival time stamp is a binarycounter with precision of 27 MHz, the time required for a cycle of a24-bit-length arrival time stamp is approximately 0.06 seconds. Thistime is sufficient for an ordinary transport stream. This is becauseunder provision of MPEG-2, each packet interval of transport streams isa maximum of 0.1 seconds. However, the arrival time stamp may have 24 ormore bits for sufficient tolerance.

In the above cases in which the bit length of the arrival time stamp isvariously set, there are a plurality of possible configurations for ablock seed as an additional data to block data.

FIG. 10 shows block seed configurations. In example 1 in FIG. 10,thirty-two bits are used for the arrival time stamp. In example 2 inFIG. 10, thirty bits are used for the arrival time stamp, and two bitsare used for copy control information. Copy control informationrepresents a state of copy control in data to which the copy controlinformation is added. Concerning copy control information, the SerialCopy Management System (SCMS) and the Copy Generation Management System(CGMS) are famous. By using copy control information based on thesesystems, types of information can be shown, such as “Copy Free”information indicating that data to which Copy Free information is addedmay be limitlessly copied, “One Generation Copy Allowed” informationindicating that the copying of data to which One Generation Copy Allowedinformation is added can be performed only in one generation, and “CopyProhibited” information indicating that the copying of data to whichCopy Prohibited information is added is prohibited.

In example 3 in FIG. 10, twenty-four bits are used for the arrival timestamp, two bits are used for the copy control information, and six bitsare used for other information. Various types of information, such asinformation representing the switching on/off of a Macrovision as ananalog-picture-copy-control mechanism in a case in whichother-information-included data is analog-output, can be used as otherinformation.

Tree Structure as Key Distribution Configuration

Next, a configuration is described below in which the recording/playbackdevice 100 or 200 in FIG. 1 or 2 distributes, to each device, the masterkey required for recording data on a recording medium or for playingback data from the recording medium 195.

FIG. 11 illustrates the distribution of a key for eachrecording/playback device in a recording system using the configuration.In FIG. 11, the numbers 0 to 15 shown at the bottom indicaterecording/playback devices, respectively. The leaves of the treestructure shown in FIG. 11 correspond to the devices.

Each of the devices 0 to 15 stores node keys assigned to nodes from itsleaf as a node to the root, and a leaf key corresponding to its leaf.The alphanumeric representations K0000 to K1111 shown in the bottom ofFIG. 11 are leaf keys assigned to the devices 0 to 15. In FIG. 11, thetop node KR to the nodes K000 to K111 in the second row from the bottomare node keys.

In the tree structure shown in FIG. 11, for example, device 0 possessesleaf key K0000, and node keys K000, K00, K0, and KR. Device 5 possessesleaf key K0101, and node keys K010, K01, K0, and KR. Device 15 possessesleaf key K1111, and node keys K111, K11, K1, and KR. Although the treestructure shown in FIG. 11 includes only the sixteen devices 0 to 15 andhas four levels and balanced symmetry, it may include more devices and adifferent number of levels in each portions of the tree.

The devices 0 to 15 as recording/playback devices include various typesof recording/playback devices that use various types of recording mediasuch as DVDs, CDs, MDs, and Memory Sticks (trademark). Also, it ispossible that various application services coexist. The key distributionin FIG. 11 is applied to a configuration in different devices anddifferent applications coexist.

In this system in which various devices and applications coexist, forexample, the portion surrounded by the dotted line in FIG. 11,specifically, devices 0, 1, 2, and 3 are treated as a group using asingle recording medium. To devices 0, 1, 2, and 3 included in thisgroup, a process of simultaneously sending by a provider a commoncontent in an encrypted form, a process of sending a master key for usein common, and a process of outputting content-charge-payment data in anencrypted form from each device to a provider are performed. Anauthority that transmits/receives data to/from each device, such as acontent provider or a settlement authority, treats the portionsurrounded by the dotted line in FIG. 11 as one group and performssimultaneous data-transmission processing. Similar groups exist in thetree in FIG. 11.

Node keys and leaf keys may be controlled by a single key, or may becontrolled for each group by an authority that transmits/receives datato/from each group, such as a provider or a settlement authority. Thesenode keys and leaf keys are updated, for example, when a leak of a keyoccurs, and the process of updating is executed by a key-control center,a provider, a settlement authority, etc.

As is clear from FIG. 11, in the tree structure, the three devices 0, 1,2, and 3 included in one group possess common keys K00, K0, and KR asnode keys. By using this node-key sharing system, for example, a commonmaster key can be provided to a limited number of devices 0, 1, 2, and3. For example, by using node key K00 itself, which is possessed incommon, as a master key, only devices 0, 1, 2, and 3 can use the masterkey in common without receiving a new key. In addition, by distributing,to devices 0, 1, 2, and 3, code Enc(K00, K_(master)) obtained byencrypting new master key K_(master) using node key K00 via a network orby using a recording medium containing the value, only devices 0, 1, 2,and 3 decrypt code Enc(K00, K_(master)) with shared master key K00,which is possessed by them, and can obtain K_(master), Data obtained byusing K_(a) to encrypt K_(b) is represented by Enc(K_(a), K_(b)).

When it is discovered at time “t” that the keys of device 3, K0011,K001, K00, K0, and KR have been analyzed and exposed by a hacker, device3 must be cut off from the system in order to protect data transmittedand received in the system (the group of devices 0, 1, 2, and 3) aftertime “t”. Accordingly, node keys K001, K00, K0, and KR must be updatedto generate new keys K(t)001, K(t)00, K(t)0, K(t)R, respectively, andthe new keys must be posted to devices 0, 1, 2, and 3. Here, K(t)aaarepresents an updated key in generation “t” of key Kaaa.

A process for distributing the updated keys is described below.

Key updating is performed by distributing, to devices 0, 1, and 2, atable formed by block data called an “enabling key block (EKB)” (shownin FIG. 12A), for example, via a network or by using recording mediacontaining the table.

In the enabling key block shown in FIG. 12A, only devices in which nodekeys must be updated are shown as block data having an updatable dataarrangement. The example shown in FIG. 12A is block data formed for thepurpose of distributing updated node keys in generation “t” inconnection with devices 0, 1, and 2 in the tree structure in FIG. 11. Asis clear from FIG. 11, devices 0 and 1 need K(t)00, K(t)0, and K(t)R asupdated keys, device 2 needs K(t)001, K(t)00, K(t)0, and K(t)R asupdated keys.

As the enabling key block in FIG. 12A shows, the enabling key blockincludes a plurality of encryption keys. The bottom encrypted key isEnc(K0010, K(t)001). This is updated node key K(t)001 obtained byperforming encryption using leaf key K0010 of device 2. Device 2 canobtain K(t)001 by using its own leaf key to decrypt encrypted keyEnc(K0010, K(t)001). By using K(t)001 obtained by decryption, the secondencrypted key Enc(K(t)001, K(t)00) from the bottom in FIG. 12A can bedecrypted. This makes it possible to obtain updated node key K(t)00.

Similarly, by decrypting the second encrypted key Enc(K(t)00, K(t)0)from the top in FIG. 12A, updated node key K(t)0 can be obtained. Bydecrypting the first encrypted key Enc(K(t)0, K(t)R) from the top inFIG. 12A, K(t)R can be obtained.

In the case of devices 0 and 1, node key K000 is not included in what toupdate. Necessary node keys are K(t)00, K(t)0, and K(t)R. In devices 0and 1, by decrypting the third encrypted key Enc(K000, K(t)00), K(t)00can be obtained.

Subsequently, by decrypting the second encrypted key Enc(K(t)00, K(t)0)from the top in FIG. 12A, updated node key K(t)0 can be obtained. Bydecrypting the top encrypted key Enc(K(t)0, K(t)R), K(t)R can beobtained.

By using the above operation, devices 0, 1, and 2 can obtain updated keyK(t)R. The “INDEX” in FIG. 12A indicates the absolute address of a nodekey or a leaf key used as a decryption key.

In a case in which upper node keys KO and KO in the tree structure inFIG. 11 do not need to be updated, and only node key K00 must beupdated, updated node key K(t)00 can be distributed to devices 0, 1, and2 by using the enabling key block in FIG. 12B.

The enabling key block in FIG. 12B can be used in the case ofdistributing a new master key that is shared in a specified group. It isassumed as a specific example that devices 0, 1, 2, and 3 in thedotted-line group in FIG. 11 use certain recording media and need newcommon master key K(t)_(master). Then, data Enc(K(t), K(t)_(master)) isdistributed which is obtained by encrypting updated master keyK(t)_(master) with K(t)00 obtained by updating node key K00 common todevices 0, 1, 2, and 3. Thus, data Enc(K(t), K(t)_(master)) isdistributed, as data that is not decrypted, to the devices of othergroups, such as device 4.

In other words, devices 0, 1, and 2 can obtain master key K(t)_(master)at time “t” by decrypting the above data using K(t)00 obtained byprocessing the enabling key block.

Distribution of Master Key Using Enabling Key Block

FIG. 13 shows, as a processing example of obtaining master keyK(t)_(master) at time “t”, processing of device 0 that receives, via arecording medium, data Enc(K(t)00, K(t)_(master)) obtained by usingK(t)00 to encrypt new common master key K(t)_(master), and the enablingkey block shown in FIG. 12B. As shown in FIG. 13, device 0 generatesnode key K(t)00 by performing enabling-key-block processing similar tothe above, using the enabling key block at time as a generation recordedon the recording medium. After decrypting updated master keyK(t)_(master) using decrypted updated node key K(t)00, device 0 encryptsthe master key using its own leaf key K0000 and records the encryptedmaster key so that the master key can be used afterward. When device 0can securely store updated master key K(t)_(master), the encryptionusing leaf key K0000 is not required.

With reference to the flowchart shown in FIG. 14, a process foracquiring the updated master key is described below. It is assumed thatthe latest master key K(c)_(master) is given to each recording/playbackdevice when it is shipped and is stored in an internal memory securely(specifically, for example, in a form in which the given master key isencrypted using the device's leaf key).

When the recording medium that contains updated master key K(n)_(master)and the enabling key block is loaded into the recording/playback device,in step S1401, the recording/playback device reads the time (generation)number “n” (represented by pre-recording generation information “n”) ofthe recorded master key K(n)_(master) from the recording medium. On therecording medium, the time (generation) number “n” of the recordedmaster key K(n)_(master) is recorded beforehand. In step S1402, afterreading self-retained encryption master key C, the recording/playbackdevice compares the “generation c” of the encryption master key and the“generation n” of the pre-recording generation information, anddetermines the order of the generations.

In step S1402, if the recording/playback device has determined that“generation n” represented by pre-recording generation information #ndoes not follow (is not newer than) the “generation c” of encryptedmaster key C stored in the internal memory, in other words, when the“generation c” of encrypted master key C is identical to or follows“generation n” represented by pre-recording generation information #n,steps S1403 to S1408 are skipped and the master key updating process isterminated. In this case, the master key K(c)_(master) stored in theinternal memory is not updated since it does not need to be updated.

In step S1402, if the recording/playback device has determined that“generation n” represented by pre-recording generation information #nfollows (is newer than) the “generation c” of encrypted master key Cstored in the internal memory, in other words, when the “generation c”of encrypted master key C is older than “generation n” represented bypre-recording generation information #n, the recording/playback deviceproceeds to step S1403 and reads the enabling key block from therecording medium.

In step S1404, the recording/playback device calculates key K(t)00 ofnode K00 at pre-recording generation information #n by using theenabling key block read in step S1403, and the leaf key (K0000 in device0 in FIG. 11) and the node keys (K000, K00, etc., in device 0 in FIG.11) which are stored in the internal memory.

In step S1405, the recording/playback device determines whether it hasobtained K(t)00 in step S1404. If the recording/playback device has notobtained K(t)00, it is indicated that the recording/playback device isrevoked from the group in the tree structure that time. Accordingly,steps S1406 to S1408 are skipped and the master key updating process isterminated.

If the recording/playback device has obtained K(t)00, it proceeds tostep S14606 and reads, from the recording medium, Enc(K(t)00,K(t)_(master)), which is a code obtained by using K(t)00 to encrypt themaster key at time ‘t’. In step S1407, the recording/playback deviceuses K(t)00 to decrypt the code and calculates K(t)_(master).

In step S1408, in the recording/playback device, K(t)_(master) isencrypted using its leaf key (K0000 in device 0 in FIG. 11) and isstored in the internal memory. After that, the master key updatingprocess ends.

Although master keys are used in ascending order from the key at time(generation) zero (0), it is preferable that the master keys from thenew generation to the older generation be structured by computation, asrequired by the component units of the system. In other words, therecording/playback device retains unidirectional “function f”, andcreates a desired master key by applying its own master key to theunidirectional “function f” a number of times which corresponds to thedifference between the generation of the master key and the generationof the required master key.

Specifically, by way of example, when the generation of the master keyMK stored in the recording/playback device is i+1, and the generation ofthe master key MK required for reading data is i−1, master keyK(i−1)_(master) is generated such that in the recording/playback device,unidirectional “function f” is used twice to calculatef(f(K(i+1)_(master)))

When the generation of the master key MK stored in therecording/playback device is i+1, and the generation of the master keyMK required for reading data is i−2, master key K(i−2)_(master) isgenerated such that in the recording/playback device, unidirectional“function f” is used three times to calculate f(f(f(K(i+1)_(master)))).

In this operation, for example, the hash function can be used as theunidirectional “function f”. Specifically, MD5 (Message Digest 5), SHA-1(Secure Hash Algorithm-1), etc., can be employed. A key issuingauthority uses these unidirectional functions to beforehand calculatemaster keys by which generations older than their generations can beformed, namely, K(0)_(master), K(1)_(master), K(2)_(master), . . . ,K(N)_(master). Specifically, initially, by setting N-generating masterkey K(N)_(master), and applying the unidirectional function to masterkey K(N)_(master) for each time, older generation master keys,K(N−1)_(master), K(N−2)_(master), . . . , K(1)_(master), K(0)_(master)are sequentially generated. After that, the generated master keys areused in sequence from smaller generation master key K(0)_(master). It isassumed that unidirectional function that is used to generate masterkeys having generations older than the generation of a master key be setin all recording/playback devices.

Also, for example, public key cryptosystem technology can be used as aunidirectional function. In this case, a key issuing authority possessesa secret key for a public key cryptosystem and provides a public keycorresponding to the secret key to all reproducing devices. The keyissuing authority sets zero-th generation master key K(0)_(master), andbegins to use K(0)_(master). Specifically, when requiring master keyK(i)_(master) subsequent to the first generation, the key issuingauthority generates and uses master key K(i)_(master) by using thesecret key to convert master key K(i−1)_(master) which is older onegeneration. In this case, the key issuing authority does not need togenerate an N-th generation master key beforehand by using theunidirectional function. According to this method, theoretically, masterkeys of a limitless number of generations can be generated. If eachrecording/playback device retains a master key of a generation, it canobtain a master key of a generation older than the generation by using apublic key to convert the master key.

Next, with reference to the flowchart shown in FIG. 15, a process by therecording/playback device is described below which is performed when therecording/playback device records a content on its own recording medium.

Content data is encrypted using a master key of a generation and isdistributed from a content provider to each recording/playback devicevia a network or using recording media.

In step S1501, the recording/playback device reads pre-recordinggeneration information #n from the recording medium. Therecording/playback device also acquires the “generation c” of encryptedmaster key C stored in its own memory.

In step S1502, the recording/playback device compares the “generation c”of the encrypted master key C and “generation n” represented bypre-recording generation information #n, and determines the order of thegenerations.

In step S1502, if the recording/playback device has determined that the“generation c” of encrypted master key C stored in its own memory doesnot follow “generation n” represented by pre-recording generationinformation #n, in other words, when the “generation c” of encryptedmaster key C stored in its own memory is older than “generation n”represented by pre-recording generation information #n, therecording/playback device skips over step S1503 and does not perform acontent data recording process

In step S1502, if the recording/playback device has determined that the“generation c” of encrypted master key C stored in its own memoryfollows “generation n” represented by pre-recording generationinformation #n, in other words, when the “generation c” of encryptedmaster key C stored in its own memory is identical to or newer than“generation n” represented by pre-recording generation information #n,the recording/playback device goes to step S1503 and performs thecontent data recording.

Content Data Encryption and Recording Processing UsingGeneration-Controlled Master Keys

A process in which a recording/playback device performs encryption ofcontent data using generation-controlled master keys and records theencrypted data on its own recording medium is described below. Here, aprocess is described in which a block key is generated based on datausing the generation-controlled master key, and data composed of theabove transport stream is encrypted using the block key and is stored ona recording medium.

With reference to the block diagrams shown in FIGS. 16 and 17, and theflowchart shown in FIG. 18, the above process is described below.

An optical disk is used as an example of a recording medium. In theembodiment shown in FIGS. 16 to 18, in order to prevent the copying ofdata on the recording medium bit by bit, disk ID that is identificationinformation unique to the recording medium is controlled to operate on akey for encryption of data.

In accordance with FIGS. 16 and 17, an outline of data-encryptionprocessing performed by the cryptosystem unit 150 is described below.

A recording/playback device 1600 reads a master key 1601, an analyzingdata-recording key (hereinafter referred to as a “cognizant key”) 1631or a non-analyzing data-recording key (hereinafter referred to as a“noncognizant key”) 1632, which are stored in an internal memory likethe memory 180 (FIG. 1 or 2). The cognizant key 1631 and thenon-cognizant key 1632 are described later.

The master key 1601 is a secret key stored in the memory of therecording/playback device 1600 as shown in the flow of FIG. 14. Thegeneration of the master key 1601 is controlled as described above, anda generation number is correlated with each generation. The master key1601 is a key used in common in a plurality of recording/playbackdevices, for example, a key common to devices 0 to 3 belonging to thedotted-line group shown in FIG. 11. A device ID is the identifier of therecording/playback device 1600 and is an identifier stored beforehandtherein, such as a serial number in production. The device ID may beopen to the public. The cognizant key 1631 and the non-cognizant key1632 correspond to recording modes, respectively, and are common to aplurality of recording/playback devices. These keys are storedbeforehand in the memory of the recording/playback device 1600.

The recording/playback device 1600 checks the recording medium 1620 asan optical disk about whether the disk ID 1603 as identificationinformation has already been recorded. If the disk ID 1603 has beenrecorded, the recording/playback device 1600 reads the disk ID 1603(FIG. 16). If the disk ID 1603 has not been recorded, a disk ID 1701 isgenerated randomly or by a predetermined method such as random numbergeneration by an cryptosystem unit 150, and is recorded on the recordingmedium (FIG. 17). The disk ID 1603 can be stored in a lead-in area orthe like since the disk needs to have one disk ID.

The recording/playback device 1600 generates a disk unique key 1602 byusing the master key 1601, a stamper ID 1680 that is recorded as secretinformation readable from the disk only in a special reading method, andthe disk ID 1603.

The following two methods shown in FIG. 19 can be used as specificmethods for generating the disk unique key 1602 by using the master key1601, the stamper ID 1680 as secret information, and the disk ID 1603.In one method (example 1), the master key 1601, the stamper ID 1680, andthe disk ID 1603 are input to a hash function using a block encryptionfunction, and the obtained result is used. In another method (example2), data which is obtained by the bit concatenation of the master key1601, the stamper ID 1680 as secret information, and the disk ID 1603 isinput to hash function SHA-1 defined in Federal Information StandardPublication (FIPS PUB) 180-1, and from the resultant 160-bit output, anecessary data length is used as the disk unique key 1602.

As described above, the stamper ID 1680 is highly secret informationrecorded on the disk. Arithmetic processes, such as the reading of thestamper ID 1680, and the generation of the disk unique key 1602 by usingthe stamper ID 1680, are executed inside the cryptosystem unit 150 sothat secrecy is maintained. In other words, the secret information readfrom the disk is securely protected in the cryptosystem unit 150.

In the present invention, secret information that can be read by only aspecial reading method is read by only an appropriate device, that is, adevice capable of reading the secret information. Under secureprotection, the secret information is used for the process of generatingkeys for encrypting contents in, for example, a cryptosystem unit whichis mounted in an LSI and which performs the generation of a highlyprotected cryptographic key, so that the secret information is notstored in an externally readable memory. Accordingly, there is nopossibility that the secret information leaks, and playback of abnormalcontents can be effectively prevented.

As described above, secret information such as a stamper ID is writtenin a disk in a manner different from an ordinary data writing technique,and can be read in a technique different from ordinary data reading. Theprocesses of writing and reading the secret information are describedlater.

In the recording/playback device 1600, the cryptosystem unit 150 (seeFIG. 1 or 2) generates a title key 1604 as a unique key for each time ofrecording, randomly or by a predetermined method such as random numbergeneration, and records the title key 1604 on the disk 1620.

After that, a flag 1633 that indicates which of a cognizant mode or anon-cognizant mode is set as a recording mode 1635, and the recordingmode 1635 is recorded on the disk 1620.

Here, the cognizant mode and the non-cognizant mode are described below.

In each content, whether or not the content can be copied under whatconditions is designated beforehand by a content provider. Accordingly,in network connection, the designated conditions must be correctlyposted from a device to another device. In the DTCP system, a methodusing copy control information is used to solve this problem. Concerningcopy control information, there are two types of transmission techniquesin accordance with device performance.

“Encryption Mode Indicator (EMI)” is a mechanism in which the two upperSy bits in a packet header are used to send copy control information. Byusing this mechanism, a receiver device can easily perform accessing,and a content can be securely sent because the value of the EncryptionMode Indicator acts on a key for encrypting the content.

The Encryption Mode Indicator is used to indicate the encryption mode ofthe packet, and the generation modes of content encryption anddecryption keys are designated. By disposing the Encryption ModeIndicator in an IEEE 1394 packet header, a receiver device is allowed toeasily know the type of a mode for encryption of the content, forexample, without extracting an embedded copy control information(described later) in an MPEG transport stream.

FIG. 20 shows an IEEE 1394 packet format. In “Data Field”, various typesof contents, such as music data and image data, are stored. TheEncryption Mode Indicator (EMI) as copy control information is set astwo upper Sy bits in a packet header.

The 2-bit EMI information defines a different type of treatment inaccordance with the set value. Specifically, value “00” is “Copy Free”indicating that neither authentication nor encryption is not requiredand that a content may be freely copied. Value “01” is “Copy OneGeneration” indicating that 1-generation copying may be performed. Value“10” is “No More Copies” indicating that, after the above Copy OneGeneration is recorded once, recopying is inhibited. Value “11” is“Never Copy” indicating that the copying of a content is inhibited fromthe release thereof.

In the non-cognizant recording mode, in order that a bit streamrecorder, such as D-VHS or hard disk, which does not recognize theformat of data to be recorded may correctly treat copyrighted material,it is only necessary to update the Encryption Mode Indicator, withoutrequiring the updating (e.g., Copy One Generation to No More Copies) theembedded copy control information when content recording is performed.

Conversely, in a format (e.g., DV-format) in which an area for sendingcopy control information is reserved, the copy control information canbe sent as part of a content. Copy control information that is embeddedas part of the content, as described above, is called “embedded copycontrol information”. Normally, when a content is encrypted andtransferred, embedded copy control information is similarly encryptedand transferred. It is considered that an intentional change of theembedded copy control information is difficult.

Here, in the case of a content having both the above 2-bit EMI copycontrol information and the embedded copy control information, arecording device that performs content recording updates the two typesof copy control information, namely, both the Encryption Mode Indicatorand the embedded copy control information. However, in the case of arecording device that does not have ability to analyze the embedded copycontrol information, the Encryption Mode Indicator is updated but theembedded copy control information is not updated.

A recording technique in which in a content recording mode, afterupdating embedded copy control information transmitted as part of acontent, a recording device records the content with the updatedembedded copy control information, is called a “cognizant mode”. Incomparison between the cognizant mode and the non-cognizant mode, thenon-cognizant mode causes a small load and can be easier employedbecause the updating of the embedded copy control information does notneed to be performed. However, the DTCP has a rule in which in orderthat a device may perform MPEG decoding of a content and may output avideo signal from an analog terminal, the device must employ thecognizant mode. Accordingly, a device having a decoding/display functionmust have a function of executing the cognizant mode.

In addition, in order to execute the cognizant mode, it is necessary tocompletely know the position and meaning of the embedded copy controlinformation which is embedded as part of the content. For example,concerning a new or updated data format established after a certaindevice goes on the market, an old device may have a great difficulty inexecuting the cognizant mode in the new or updated data format.

Accordingly, it is possible that, for a specified data format orimplementing a specified function, a content recording device executethe cognizant mode, while for recording a content having a differentdata format, the content recording device execute the non-cognizantmode.

There is a type of device that only performs recording using thenon-cognizant mode for all contents. Conversely, there may be a type ofdevice that only executes processing for contents having formats capableof understanding embedded copy control information, in other words, atype of device that only executes the cognizant mode.

As described above, in circumstances in which two type of copy controlinformation, namely, Encryption Mode Indicator and embedded copy controlinformation exist, and both a device that executes the cognizant modeand a device that executes the non-cognizant mode exit, it is preferableto distinguish between a content recorded in the cognizant mode and acommunication network recorded in the non-cognizant mode.

In other words, when the cognizant mode is used to perform contentrecording, both types of copy control information, namely, EncryptionMode Indicator and embedded copy control information are updated, butwhen the non-cognizant mode is used to perform content recording, onlyEncryption Mode Indicator is updated and embedded copy controlinformation is not updated. As a result, mismatching occurs between theEncryption Mode Indicator and the embedded copy control informationrecorded on a recording medium, and the mismatched Encryption ModeIndicator and embedded copy control information mix to cause confusion.That is why the distinction of the contents is preferable. Therefore, inorder to prevent the two types of copy control information from beingmismatched, for the content recorded in the cognizant mode,cognizant-mode recording/playback processing must be executed, and forthe content recorded in the non-cognizant mode, non-cognizant-moderecording/playback processing must be executed.

Accordingly, one idea is that the cognizant mode and the non-cognizantmode are treated as separate recording modes. In this case, in order fora device to selectively execute both modes, the device must haveprocessing configurations for executing both modes. This causes aproblem in that the cost of the device is increased.

According to the present invention, in accordance with either thecognizant mode or the non-cognizant mode, by generating acontent-encryption key which is different from that used in the othermode, the two recording modes can be distinguished in accordance withthe device and the recording mode used for recording the content, and asituation can be eliminated in which recording is performed with the twomodes used in disorder. This implements a content processingconfiguration using either recording mode in accordance with the deviceand the recording mode used for recording the content, withoutincreasing the configuration and processing load of the device.

Specifically, an encryption/decryption-key generating key (cognizantkey) as secret information (necessary for playback) for cognizant-moderecording is provided and stored in only a device having a function ofrecording or playback using the cognizant mode, and anencryption/decryption-key generating key (non-cognizant key) as secretinformation (necessary for playback) for cognizant-mode recording isprovided and stored in only a device having a function of recording orplayback using the non-cognizant mode.

In this construction, concerning, for example, a content recorded usingthe cognizant mode, a device that has only a non-cognizant-moderecording/playback function can be prevented from executing, by a bug,manipulation of data, or unauthorized change of recording/playbackprogram, mistaken or dishonest recording/playback.

Referring back to FIGS. 16 and 17, the description of the contentrecording processing is continued.

The recording/playback device 1600 further acquires the generationnumber of the master key for use, namely, the generation number(generation #n) 1650 of the master key to be stored by itself, andstores the acquired generation number as a recording-mode generationnumber 1651 on the recording medium 1620.

On the recording medium 1620 as a disk, there is a data management filethat stores information about which data forms which title. In the datamanagement file, a title key 1605, the recording mode flag 1635, and therecording-mode generation number 1651 can be stored.

On the recording medium 1620, pre-recording-mode generation numbers arerecorded beforehand. Only each content stored after being encryptedusing a master key of a generation which is identical to apre-recording-mode generation number or is newer than thepre-recording-mode generation number can be played back. Thisconstruction is described in playback processing described later.

Next, among combinations, namely, a combination of a disk unique key anda title key, and combinations of a cognizant key or a disk unique key,the title key, and the non-cognizant key, any combination is used togenerate a title unique key.

Specifically, when the recording mode is the cognizant mode, the diskunique key, the title key, and the cognizant key are used to generatethe title unique key. When the recording mode is the non-cognizant mode,the disk unique key, the title key, and the non-cognizant key are usedto the title unique key.

As described above, the encryption/decryption-key generating key(cognizant key) as secret information for cognizant-mode recording isstored in only the device having the function of recording or playbackusing the cognizant mode, while the encryption/decryption-key generatingkey (non-cognizant key) as secret information for cognizant-moderecording is stored in only the device having a function of recording orplayback using the non-cognizant mode. Accordingly, in a device adaptedfor either recording mode, either recording mode is selected and contentrecording is executed. In other words, the use of the recording mode islimited to either the use of the cognizant key or the user of thenon-cognizant key.

In the case of a device in which both keys are stored and both recordingmodes can be executed, a process is required which determines whethereither recording mode should be executed. This mode determinationprocess, that is, a process for determining whether the cognizant modeor the non-cognizant mode is used to perform content recording isdescribed below with reference to FIG. 21.

Basically, it is preferable to perform content recording by thecognizant mode if possible. This is, as described above, becauseEncryption Mode Indicator and embedded copy control information areprevented from being mismatched. However, there is a possibility that adata analysis error, etc., occurs due to emergence of a new data format,etc., as described above. In such a case, recording using thenon-cognizant mode is executed.

Each step in FIG. 21 is described below.

In step S5001, a recording device determines whether it can analyze adata format. As described above, embedded copy control information isembedded in a content, and impossibility of the data format analysisindicates that the reading of the copy control information isimpossible. In this case, recording using the non-cognizant mode isexecuted.

When the data format analysis is possible, the recording device proceedsto step S5002, and determines whether it can perform data (content)decoding, the reading of embedded copy control information, andupdating. The content and the embedded copy control information arenormally encoded, so that the reading of the embedded copy controlinformation requires the execution of decoding. For example, in a casein which the device cannot perform decoding processing for the reasonthat a decoding circuit has already been used when multichannelsimultaneous recording is performed, the embedded copy controlinformation cannot be read, so that recording using the non-cognizantmode is executed.

In step S5002, if the recording device has determined that it canperform data (content) decoding, the reading of embedded copy controlinformation, and updating, in step S5003, the recording devicedetermines whether or not an input to the recording device by a userincludes an input designating the execution of recording using thenon-cognizant mode. Step S5003 is a step that is executed in only adevice in which mode selection designated by the user can be performed,and is not executed in an ordinary device, that is, a device that doesnot allow the user to designate a mode. When the user inputs designationof the non-cognizant mode, recording using the non-cognizant mode isexecuted.

In step S5004, the recording device determines whether or not a contentpacket (e.g., received data) includes designation of executing recordingusing the non-cognizant mode. If the determination is affirmative,recording using the non-cognizant mode is executed. If the determinationis negative, recording using the cognizant mode is executed.

In the device that can selectively execute recording using the cognizantmode and recording using the non-cognizant mode, the above-describedmode determination process is used to determine the execution ofrecording using either mode. However it is understood from FIG. 21 thatwhen recording using the cognizant mode is possible, recording using thecognizant mode is basically executed.

As described above, when the cognizant mode is used as the recordingmode, the disk unique key, the title key, and the cognizant key are usedto generate the title unique key, while when the non-cognizant mode isused the recording mode, the disk unique key, the title key, and thenon-cognizant key are used to generate the title unique key.

FIG. 22 shows specific methods for generating the title unique key.

One method (example 1) uses a result obtained by inputting, to a hashfunction using a block encryption function, the title key, the diskunique key, and the cognizant key (in the case of the cognizant mode) orthe non-cognizant key (in the case of the non-cognizant key).

In another method, after inputting, to hash function SHA-1 defined inFIPS PUB 180-1, data generated by the bit concatenation of the masterkey, the disk ID, and the cognizant key (in the case of the cognizantmode) or the non-cognizant key (in the case of the non-cognizant key).,only a necessary data length in the resultant 160-bit output is used asthe title unique key.

In the above description, the master key, the stamper ID, and the diskID are used to generate the disk unique key, and the disk unique key,and either the cognizant key or the non-cognizant key are used togenerate each title unique key. However, without using the disk uniquekey, by using the master key, the disk ID, the title key, and either thecognizant key or the non-cognizant key, the title unique key may bedirectly generated. Also, without using the title key, by using themaster key, the disk ID, and either the cognizant key or thenon-cognizant key, a key corresponding to the title unique key may begenerated.

By way of example, when one of transmission formats defined in the aboveDTCP is used, there is a case in which data is transmitted by TS packetsin MPEG-2. For example, when a set-top box (STB) which receives asatellite broadcast uses the DTCP to transmit the broadcast to arecording device, it is preferable that the STB send MPEG-2 TS packetstransmitted via the satellite broadcast link, also on the IEEE 1394because data conversion does not need to be performed.

The recording/playback device 1600 receives content data to be recordedin the form of TS packets, and uses the TS processing unit 300 to add anarrival time stamp, which is information on the reception time of eachTS packet. As described above, the block seed which is added to theblock data may be formed by a combination of the arrival time stamp, thecopy control information, and other information.

By arranging X (e.g., 32) ATS-added TS packets, one block of block datais formed (see the upper image in FIG. 5). As shown in FIG. 16 or 17,from a block seed having a 32-bit arrival time stamp, which is output byseparating (selector 1608) the first to fourth bytes of the start of theblock data input as data to be encrypted, and the already generatedtitle unique key, a block key as a key for encrypting the data of theblock data is generated (1607).

FIG. 23 shows two methods for generating the block key. In each method,from a 32-bit block seed and a 64-bit title unique key, a 64-bit blockkey is generated.

In the upper example 1, an encryption function is used which has a keylength of 64 bits and an input/output length of 64 bits. A title uniquekey is used as a key for the encryption function, and a result that isobtained by inputting to the encryption function a concatenation valueof a block seed and a 32-bit constant is used as a block key.

In the lower example 2, hash function SHA-1 defined in FIPS PUB 180-1 isused. Reduced data having 64 bits is used as a block key. For example, aconcatenation value of a title unique key and a block seed is input tohash function SHA-1, and from the resultant 160-bit output, onlylower-64-bit part is used.

Using FIG. 23, examples in which the disk unique key, the title uniquekey, and the block key are generated have been described. However,without executing the generation of the disk unique key and the titleunique key, the block key may be generated by using, for each block, amaster key, a stamper ID, a disk ID, a title key, a block seed, and acognizant key (in the case of the cognizant mode) or a non-cognizant key(in the case of the non-cognizant mode).

After the block key is generated, the generated block key is used toencrypt block data. As the bottom of FIGS. 16 and 17 shows, the initialfirst to m-th (e.g., m=8) bytes of the block data including the blockseed are separated (by a selector 1608) and are not encrypted. The(m+1)th byte to the final byte are encrypted (1609). The m bytes thatare not encrypted include the first to fourth bytes as a block seed. Theblock data after the (m+1)th byte which is separated by the selector1608 are encrypted (1609) in accordance with an encryption algorithmpreset in the cryptosystem unit 150. For example, the Data EncryptionStandard (DES) defined in FIPS 46-2 can be used as the encryptionalgorithm.

As described above, the block seed may include copy control information.Accordingly, when recording using the cognizant mode is executed, copycontrol information that corresponds to embedded copy controlinformation, which is embedded in content data, is recorded. Whenrecording using the non-cognizant mode is executed, copy controlinformation that reflects the Encryption Mode Indicator (EMI) in thepacket header in FIG. 20 is recorded.

In other words, in the case of information recording processing usingthe cognizant mode, record-information generating processing is executedin which a block seed including copy control information based onembedded copy control information in data part is added to a block datacomposed of at least one packet. In the case of information recordingprocessing using the non-cognizant mode, record-information generatingprocessing is executed in which a block seed including copy controlinformation based on the Encryption Mode Indicator as copy controlinformation included in a packet is added to a block data composed of atleast one packet.

Here, when the block length (input/output data size) of an encryptionalgorithm for use is eight bytes as in the DES, by letting X be 32, andm be a multiple of 8, the entire block after the (m+1)-th byte can beencrypted without generating a fraction.

In other words, when assuming that the number of TS packets to be storedin one block is x, the input/output data size of the encryptionalgorithm is L bytes, and n is an arbitrary natural number, bydetermining X, m, and L so that 192*X=m+n*L can hold, the need forfraction processing is eliminated.

The encrypted block data after the (m+1)th byte is combined with thedata of the first to m-th bytes by the selector 1610, and thecombination is stored as encrypted content on the recording medium 1620.

In the above-described processing, in units of blocks, contents areencrypted using a block key generated based on a block seed including ageneration-controlled master key and an arrival time stamp, and arestored on a recording medium.

As described above, according to the present invention, content data isencrypted using a generation-controlled master key, and is recorded on arecording medium. Thus, for enabling decoding or playback, it isconditioned that playback processing on the recording medium isperformed by a recording/playback device having the generation of amaster key which is at least identical to or newer than the generationof a master key used for recording data.

As described above, in the case of recording using the cognizant mode,the block key is generated based on the cognizant key, while in the caseof recording using the non-cognizant mode, the block key is generatedbased on the non-cognizant key. The data encrypted using the modes canbe read only by a device having a key (the cognizant key or thenon-cognizant key) corresponding to a mode identical to that used forrecording.

In other words, the cognizant key is supplied only to a device that canrecognize and update embedded copy control information which is embeddedin a stream when performing recording and to a device allowed to readthe data. A device that does not have the cognizant key cannot read acontent recorded using the cognizant mode.

Similarly, the non-cognizant key is supplied only to a device having anon-cognizant recording mode that does not recognize embedded copycontrol information in a stream when recording is performed and to adevice allowed to read data recorded in the mode. A device that does nothave the non-cognizant key is designed so as not to a content recordedusing the non-cognizant mode. Details of the playback processing aredescribed later.

Next, with reference to the flowchart shown in FIG. 18, both thearrival-time-stamp adding processing by the TS processing unit 300 andthe encryption processing by the cryptosystem unit 150, which areexecuted in accordance with data recording processing, are describedbelow.

In step S1801, the recording/playback device reads a master key and thecognizant key or the non-cognizant key from the memory 180. Therecording/playback device reads a stamper ID from a disk as a recordingmedium.

In step S1802, the recording/playback device determines whether a diskID has already been recorded as identification information on the disk.If the determination is affirmative, in step S1803, the disk ID is read.If the determination is negative, in step S1804, the disk ID isgenerated randomly or by a predetermined method, and is recorded on therecording medium. In step S1805, a master key and a stamper ID are usedto generate a disk unique key. The disk unique key is found by applying,for example, a method using hash function SHA-1 defined in FIPS PUB180-1, a method using a hash function based on block encryption, etc.

In step S1806, a title key is generated as a unique key for each time ofrecording, and is recorded on the disk, with the recording mode and thegeneration number of the master key. The recording mode represents atype of information recording mode, namely, either the cognizant mode orthe non-cognizant mode.

In step S1807, a title unique key is generated by using the disk uniquekey, the title key, and the cognizant key (in the case of the cognizantmode) or the non-cognizant key (in the case of the non-cognizant mode).

FIG. 24 is a detailed flowchart showing the generation of the titleunique key. In step S2001, the cryptosystem unit 150 proceeds todifferent steps depending the recording mode. This branching isdetermined based on the program of the recording/playback device anddesignation data input by a user of the recording/playback device.

In step S2001, if the cryptosystem unit 150 has determined that therecording mode is the cognizant mode, it proceeds to step S2002, andgenerates the title unique key by using the disk unique key, the titlekey, and the cognizant key.

In step S2001, if the cryptosystem unit 150 has determined that therecording mode is the non-cognizant mode, it proceeds to step S2003, andgenerates the title unique key by using the disk unique key, the titlekey, and the non-cognizant key. The title unique key is generated byusing a method using hash function SHA-1 defined in FIPS PUB 180-1, anda method using a hash function based on block encryption.

In step S1808, the recording/playback device receives, in the form of TSpackets, data to be encrypted of content data to be recorded. In stepS1809, the TS processing unit 300 adds each arrival time stamp (ATS) asinformation on a time at which each TS packet is received.Alternatively, the TS processing unit 300 adds each value obtained bycombining copy control information, an arrival time stamp, and otherinformation.

In step S1810, the recording/playback device sequentially receives theATS-added TS packets, and determines whether the received packets hasreached, for example, X=32 which forms one block, or whether it hasreceived identification data indicating the end of the packets. Ifeither condition is satisfied, the recording/playback device goes tostep S1811, and forms one block of block data by arranging X ATS-addedTS packets or ATS-added TS packets up to the end packet.

In step S1812, the cryptosystem unit 150 generates a block key as anencryption key for encrypting the block data by using the first 32 bits(the block seed including the arrival time stamp) and the title uniquekey generated in step S1807.

In step S1813, the generated block key is used to the block data formedin step S1811. As described above, the encryption range is the (m+1)thbyte to the end byte of the block data. The Data Encryption Standarddefined in the FIPS 46-2 is applied to the encryption algorithm.

In step S1814, the encrypted block data is recorded on the recordingmedium. In step S1815, the recording/playback device determines whetherall data have been recorded. If the determination is affirmative, therecording is terminated. If the determination is negative, therecording/playback device goes back to step S1808, and the remainingdata is processed.

In accordance with the above process, the content recording processingis executed using the cognizant mode or the non-cognizant mode. When thecontent recording processing is executed by the cognizant mode, a keyfor use in content encryption is generated based on the cognizant key.When the content recording process is executed using the non-cognizantmode, a key for use in content encryption is generated based on thenon-cognizant key. Accordingly, for the content recorded on the disk, itis required that a decryption key be generated by using either of thecognizant key and the non-cognizant key, or a single key. This canprevent recording and playback processing in which both modes are used.

Writing and Playback of Secret Information

Next, secret-information writing and reading processes are describedbelow in which secret information, such as the stamper ID 1680 shown inFIG. 16 or 17, is written on the disk by using a manner different froman ordinary data-writing technique and in which the written secretinformation is allowed to be read only in the case of applying a mannerdifferent from an ordinary data-reading technique.

Generation of Secret Information by Signal Disturbance

First, a structure in which various types of information signals, suchas the stamper ID 1680, are recorded after being disturbed usingM-series signals is described below.

FIG. 25 shows the structure of a write-signal generating modulationcircuit. The circuit shown in FIG. 25 writes secret information (such asthe stamper ID 1680) modulated based on an FG signal which riseswhenever a disk on which data is written rotates by a predeterminedangle.

After generating, based on the FG signal, channel clocks CK which issynchronized with the rotation of the disk, a PLL circuit 1041 suppliesthe channel clocks CK to the components of the circuit.

A timing generator (TG) 1042 generates an initialization pulse signal SYfor initializing M-series generating circuits 1045A to 1045D atpredetermined intervals by counting the channel clocks CK. The timinggenerator 1042 also generates and outputs a synchronization patternselection signal ST which is synchronized with the initialization pulsesignal SY.

Secret information, such as the stamper ID 1680, is input to themodulation circuit in FIG. 25 at a bit rate which is extremely smallerthan that of the channel clocks CK. A synchronizing pattern generatingcircuit 1043 generates and outputs a predetermined synchronizing patternDY based on the initialization pulse signal SY.

The M-series generating circuits 1045A to 1045D are initialized by theinitialization pulse signal SY, and output M-series M1 to M4,respectively. The M-series signals M1 to M4 are strings of data whichhave randomly changing logical values and in which a possibility thatlogic “1” occurs and a possibility that logic “0” occurs are equal toeach other. The M-series M1 to M4 signals do not have any mutualrelationship.

Arithmetic circuits (indicated by “X” in FIG. 25) 1046A to 1046D areformed by exclusive OR circuits, and output the results of exclusive ORoperations on the M-series signals M1 to M4 and the bits b0 to b3 ofsecret information such as a stamper ID and a disk ID. This causes thesecret information to be disturbed by the M-series signals M1 to M4.

A random number generating circuit 1047 generates and outputs a 2-bitrandom number R (any value of 0, 1, 2, and 3) to a data selector 1048 inunits of channel clocks CK. In response to the value of the randomnumber R, the data selector 1048 selectively outputs the results ofoperations from the arithmetic circuits 1046A to 1046D. For example,when the random number R=0, the output of the arithmetic circuit 1046Ais selected. When the random number R=1, the output of the arithmeticcircuit 1046 b is selected. When the random number R=2, the output ofthe arithmetic circuit 1046C is selected. When the random number R=3,the output of the arithmetic circuit 1046D is selected.

In the above construction, by performing decryption based on theM-series signals M1 to M4, the results of operations by the arithmeticcircuits 1046A to 1046D are treated as a series and are furtherdisturbed without being affected by other arithmetic operation results.

A data selector 1049 selectively outputs the initialization pulse signalSY which is output from the synchronizing pattern generating circuit1043 based on the synchronization pattern selection signal ST, and theoutput of the data selector 1048. Accordingly, after the initializationpulse signal SY rises, and a synchronizing pattern (e.g., “11011”) in apredetermined clock period (e.g., a 5-clock period) occurs, the dataselector 1048 is controlled to perform outputting.

On the disk, in a predetermined secret information write area, theoutput of the modulation circuit in FIG. 25 is written. Even if the samesecret information is input to the modulation circuit, the form of writedata differs depending on the random number R. This makes it possible toperform writing of data that cannot be analyzed in ordinary readingprocessing.

Next, with reference to FIG. 26, the playback process on the secretinformation written in the above-described technique is described below.

FIG. 26 shows the structure of a decryption processor that plays backthe secret information such as a stamper ID by decrypting a digitalplayback signal DX read from the disk. Based on the digital playbacksignal DX, a PLL circuit 1081 reproduces and outputs the channel clocksCK to the components of the decryption processor.

After detecting a synchronizing pattern by identifying the digitalplayback signal DX based on the channel clocks CK, a synchronizationdetection circuit 1082 reproduces the initialization pulse signal SYfrom the result of detection. Based on the initialization pulse signalSY and the channel clocks CK, M-series generating circuits 1083A to1083D output the M-series signals M1 to M4 generated in the writingmode.

Multiplication circuits (indicated by “X” in FIG. 26) 1084A to 1084Dmultiply the M-series signals M1 to M4 by the digital playback signalDX, respectively, and output the products. In the multiplicationcircuits 1084A to 1084D, the polarity of the digital playback signal DXis inverted in accordance with the logical value of each of the M-seriessignals M1 to M4, whereby the multiplications are executed. The digitalplayback signal DX is played back only by decryption based on theM-series signals M1 to M4.

Integrating circuits (indicated by “Σ” in FIG. 26) 1085A to 1085Dintegrate, based on the initialization pulse signal SY, the productsoutput by the multiplication circuits 1084A to 1084D, and output theintegrated results in accordance with the logical values of bits b1 tob3 of the secret information (e.g., stamper ID). Determination circuits1086A to 1086D perform binary identification based on the initializationpulse signal SY of the integrated results output by the integratingcircuits 1085A to 1085D, whereby the values of bits b0 to b3 arereproduced and output.

As described above, the secret information is input, as a string of fourparallel bits b0 to b3, to the modulation circuit (FIG. 25), and arerecorded after being disturbed by the four M-series signals M1 to M4 andthe random number R. Thus, it is difficult to read the recorded secretinformation in the ordinary reading processing. When playback isperformed, the M-series signals M1 to M4 can be generated based on thesynchronizing pattern DY, and the generated M-series signals M1 to M4and the decryption of the read signal enable the secret information tobe output.

A recording/playback device which reads a stamper ID written by theabove-described recording technique and which generates acontent-encryption key based on the stamper ID or the like has a secretinformation decrypting unit having the structure shown in FIG. 26.

Recording Secret Information in Inner Circumferential Part of Disk

Next, concerning other secret-information writing and reading processes,a construction is described below in which secret information (such as astamper ID) is written in an area of the disk different from a writearea for music data, etc., and the written information is stably read.

The top part (A) of FIG. 27 is a perspective view of a disk containingsecret information such as a stamper ID. The secret information isrecorded four times on one track of the disk, so that the secretinformation can be played back, even if the disk is partly damaged. Thesecret information includes areas for a header, a stamper ID, etc., andan error correcting code. Each bit of bit patterns indicating theinformation is formed by a minute area unit having a dimension of 50 μm,which is greatly longer than that of each bit of a data area recorded asuser data. In each of the stamper ID area and the error correcting codearea, a synchronizing pattern is formed in which among three minuteareas, only the center area has a pattern formed by changing the opticalproperty of the recording surface. The synchronizing pattern enablestiming control in the playback mode.

The data of the information area and the error correcting code area isdivided into two-bit parts. When two-bit data (b1, b0) is logic “00”,the optical property of only the first minute area is changed, and thelogic is converted to logic “1000” for recording, as shown in the part(D1) of FIG. 27. As shown in the part (D2) of FIG. 27, when two-bit data(b1, b0) is logic “01”, logic “0100” is recorded. As shown in the part(D3) of FIG. 27, when two-bit data (b1, b0) is logic “10”, logic “0010”is recorded. As shown in the part (D3) of FIG. 27, when two-bit data(b1, b0) is logic “1”, logic “0001” is recorded. Accordingly, on thedisk, the percentage of presence of optical-property-changed areas is0.3 or less, so that in the inner circumferential part of the disk, datareading can be performed since focussing servo control based onsufficient reflected light can be performed.

FIG. 28 shows the structure of an decryption unit used for reading thesecret information recorded in the inner circumferential part of thedisk. A PLL circuit 1160 uses the digital playback signal DX toreproduce and output the channel clocks CK.

By determining the signal level of the digital playback signal DX basedon the channel clocks CK, a synchronization detection circuit 1161detects a synchronizing pattern and outputs an initialization pulsesignal SY.

For the minute areas (parts (D1) to (D4) of FIG. 27) following thesynchronizing pattern (part (C) of FIG. 27), a timing generator (TG)1162 outputs, based on the initialization pulse signal SY, samplingpulse signals T1 to T4 which rise in the centers of the minute areas.

Flip-flops (FFs) 1163A to 1163D latch, based on the sampling pulsesignals T1 to T4, digital playback signals. Accordingly, the signallevels of playback signals which are obtained from the four minute areasassigned to the two-bit data (b1, b0) of the information areas and theerror correcting code area are latched and retained in the flip-flops1163A to 1163D.

By determining the magnitudes of the playback signal levels from theflip-flops 1163A to 1163D, the two-bit data (b1, b0) of the informationareas and the error correcting code area are played back and output by amaximum detecting circuit 1164. A parallel/serial conversion circuit(PS) 1165 sequentially converts the two-bit data (b1, b0) into serialdata and outputs the serial data.

A recording/playback device which reads the stamper ID written by theabove-described recording technique and which generates acontent-encryption key based on the stamper ID includes the decryptionunit structure shown in FIG. 28.

As described above, by employing special secret-information writing andreading techniques different from those for contents, secret informationsuch as a stamper ID is recorded on a disk, and the stamper ID is usedas source data for keys for use in content encryption and decryption.Thus, if another processing key leaks, it is impossible to read thesecret information, and a possibility of leak can be greatly reduced.This enables security-enhanced content protection.

This Specification describes a case in which the secret informationrequired for writing and playback of specified information to berecorded on the disk is set as a stamper ID. However, the secretinformation is not limited to the stamper ID. It is possible thatvarious types of identification data, such as IDs set for disks, anddifferent content IDs set for contents, or encryption keys or the like,be set as secret information to be recorded on the disk. By applyingthese types of secret information, a content-encryption key isgenerated.

The above recording/playback device has a structure capable ofselectively using a key for generating an encryption/decryption key forrecording using the cognizant mode and a key for generating anencryption/decryption key for recording using the non-cognizant mode, asshown in FIG. 16 or 17. A recording/playback device that executes onlyone of the modes stores either key, that is, a cognizant key or anon-cognizant key, and generates, based on the stored key, a block keyfor content encryption and decryption. Block diagrams that show theprocess of generating a content-encryption key in eachrecording/playback device storing a single key are shown in FIGS. 29 and30.

FIG. 29 shows a recording/playback device having only a cognizant key.This recording/playback device generates, based on the cognizant key andkey generating data, an encryption key and a decryption key which areused for data recording on a recording medium and data playback from therecording medium in order to execute content encryption and decryption.

FIG. 30 shows a recording/playback device having only a non-cognizantkey. This recording/playback device generates, based on thenon-cognizant key and key generating data, an encryption key and adecryption key which are used for data recording on a recording mediumand data playback from the recording medium in order to execute contentencryption and decryption.

In each recording/playback device storing a single type of key, datarecording/playback can be executed only in either mode.

Content-Data Decryption and Playback Processing UsingGeneration-Controlled Master Key

Next, processing in which encrypted contents recorded as described aboveon the recording medium are decrypted and played back is described belowusing the block diagram shown in FIG. 31 and the flowcharts shown inFIGS. 32 to 34.

Concerning the decryption and playback process, the process flow isdescribed in accordance with the flowchart in FIG. 32, with reference tothe block diagram in FIG. 31.

In FIG. 32, in step S2401, a recording/playback device 2300 (FIG. 31)reads a disk ID 2302, a pre-recording-mode generation number 2350, and astamper ID 2380 from a disk 2320, and also reads a master key 2301, acognizant key 2331 and/or a non-cognizant key 2332 from its memory. Asis clear from the above description of the recording process, the diskID 2303 is recorded on the disk 2320 beforehand, or if it is notrecorded, the disk ID 2303 is a disk unique identifier in which theidentifier is generated in the recording/playback device 2300 and isrecorded on the disk 2320.

The pre-recording-mode generation number 2360 is generation informationwhich is beforehand stored on the disk 2320 as a recording medium andwhich is unique to the disk 2320. By comparing the pre-recording-modegeneration number 2360 and the generation of the master key 2301 whichis obtained in data recording, that is, a recording-mode generationnumber 2350, determination of whether or not the playback process can beperformed. The master key 2301 is a generation-controlled secret keywhich is stored in the memory of the recording/playback device 2300 inaccordance with the flow in FIG. 14. The cognizant key and thenon-cognizant key are secret keys common in system, which correspond tothe cognizant mode and the non-cognizant mode, respectively.

In step S2402, the recording/playback device 2300 reads, from the disk2320, a title key 2305 corresponding to data to be read, a (data)recording mode 2335, and the generation number of a master key used whenrecording data, that is, the recording-mode generation number 2350. Instep S2403, the recording/playback device 2300 determines whether or notdata to be read can be played back. The detailed flowchart of thedetermination is shown in FIG. 33.

In FIG. 33, in step S2501, the recording/playback device 2300 determineswhether or not the recording-mode generation number 2350 read in stepS2402 is newer than the pre-generation number 2360 read in step S2401.If the recording/playback device 2300 has determined that the generationrepresented by the recording-mode generation number 2350 does not followthe generation represented by the pre-generation number 2360, in otherwords, when the generation represented by the recording-mode generationnumber 2350 is older than the generation represented by thepre-generation number 2360, the recording/playback device 2300determines that playback is impossible. The recording/playback device2300 skips over steps 2404 to S2409 and terminates the process withoutperforming playback. Accordingly, when the contents recorded on the disk2320 are encrypted based on the master key 2301 having a generationolder than the generation represented by the pre-recording generationnumber 2360, a playback of the contents is not allowed and the playbackis not performed.

Specifically, when an unauthorized conduct is detected, the aboveprocessing determines that the unauthorized conduct corresponds to acase in which data is encrypted based on an old master key by using anauthorized recorder which is not supplied with a latest generationmaster key and the encrypted data is recorded, whereby the aboveprocessing prevents a recording medium containing the inappropriatelyrecorded data from being played back. This can exclude the use of theunauthorized recorder.

In step S2501, if the recording/playback device 2300 has determined thatthe generation represented by the recording-mode generation number 2350follows the generation represented by the pre-generation number 2360, inother words, when the generation represented by the recording-modegeneration number 2350 is identical to or newer than the generationrepresented by the pre-generation number 2360, and the recorded contentsare encrypted based on a master key whose generation follows thegeneration represented by the pre-generation number 2360, therecording/playback device 2300 goes to step S2502. In step S2502, afterthe recording/playback device 2300 acquires generation information onencryption master key C stored in its memory, it determines whether ornot the generation of the encryption master key C is identical to/newerthan the generation represented by the recording-mode generation number2350 and determines by comparing both generations.

In step S2502, if the recording/playback device 2300 has determined thatthe generation of the encryption master key C does not follow thegeneration represented by the recording-mode generation number 2350, inother words, when the generation of the encryption master key C which isstored in the memory is older than the generation represented by therecording-mode generation number 2350, the recording/playback device2300 determines that a playback is impossible, and terminates thisprocessing without performing the playback process by skipping oversteps S2404 to S2409.

Conversely, in step S2502, if the recording/playback device 2300 hasdetermined that the generation of the encryption master key C followsthe generation represented by the recording-mode generation number 2350,in other words, when the generation of the encryption master key C whichis stored in the memory is identical to or newer than the generationrepresented by the recording-mode generation number 2350, therecording/playback device 2300 goes to step S2503. In step S2503, therecording/playback device 2300 determines whether or not it possesses akey corresponding to the recording mode, that is, a cognizant key or anon-cognizant key.

In step S2503, if the recording/playback device 2300 has determined thatit possesses the cognizant key or the non-cognizant key, it determinesthat a playback is possible. If it does not possess the cognizant key orthe non-cognizant key, it determines that the playback is impossible.

When the playback is possible, the recording/playback device 2300 goesto step S2404. In step S2404, the disk ID 2303, the master key 2301, andthe stamper ID 2380 are used to generate (2302 in FIG. 31) a disk uniquekey. Methods of generating the disk unique key include the following twomethods: in one method, after inputting, to hash function SHA-1 definedin the FIPS 180-1, data generated by bit concatenation of the a masterkey and a disk ID, only a necessary data length in the resultant 160-bitoutput is used as the disk unique key; and in another method, byinputting, to a hash function using a block encryption function, amaster key and a disk ID, the obtained result is used. The master keybeing used here is one read in step S2402 in FIG. 32, which has thegeneration (time) represented by the recording-mode generation number.If the recording/playback device 2300 retains a master key having anewer generation, the above method is used to create a master key havingthe generation represented by the recording-mode generation number, anda disk unique key may be generated using the generated master key.

In step S2405, a title unique key is generated. A detailed flowchart forgenerating the title unique key is shown in FIG. 34. In step S2601, thecryptosystem unit 150 executes determination of a recording mode. Thisdetermination is executed based on the recording mode 2335 read from thedisk 2320.

In step S2601, if the cryptosystem unit 150 has determined that therecording mode is the cognizant mode, it goes to step S2602, andgenerates the title unique key by using the disk unique key, the titlekey, and the cognizant key.

In step S2601, if the cryptosystem unit 150 has determined that therecording mode is the non-cognizant mode, it goes to step S2603, andgenerates the title unique key by using the disk unique key, the titlekey, and the non-cognizant key. For generating the title unique key, amethod using hash function SHA-1, and a hash function based on blockencryption are used.

In the above description, by using a master key, a stamper ID, and adisk ID, the disk unique key is generated, and by using the generateddisk unique key, and a cognizant key or a non-cognizant key, a titleunique key is generated. However, without using the disk unique key, byusing the master key, the stamper ID, the disk ID, the title key, andthe cognizant key or the non-cognizant key, the title unique key may bedirectly generated. Also, without using the title key, by using themaster key, the stamper ID, the disk ID, and the cognizant key or thenon-cognizant key, a key corresponding to the title unique key may begenerated.

In step S2406, block data is sequentially read from encrypted content2312 recorded in encrypted form on the disk 2320. In step S2407, aselector 2310 separates first four bytes as a block seed from the blockdata. The block seed, and the title unique key generated in step S2405are used to generate a block key.

For generating the block key, the above constructions in FIGS. 23A and23B can be applied. In other words, a technique can be applied in whichby using a 32-bit block seed and a 64-bit title unique key, a 64-bitblock key can be generated.

In the above description, each of the disk unique key, the title uniquekey, and the block key is generated. However, for example, withoutexecuting the generation of the disk unique key and the title uniquekey, the block key may be generated for each block by using the masterkey, the stamper ID, the disk ID, the title key, the block seed, and thecognizant key or the non-cognizant key.

After the block key is generated, in step S2408, the block dataencrypted using the block key is decrypted (2309), and is output asdecrypted data via a selector 2308. In the decrypted data, arrival timestamps are added to transport packets constituting a transport stream.In the above-described TS processing unit 300, stream processing basedthe arrival time stamps is executed. After that, data can be used in theform of, for example, displaying an image, and playing music.

As described above, contents recorded on a recording medium after beingencrypted in units of blocks can be played back such that the contentsare decryption-processed using a block key generated based on a blockseed including a arrival time stamp.

After using the block key to decrypt the encrypted block data, in stepS2409, the recording/playback device 2300 determines whether the readingof all data is completed. If all data have already been read, thisprocess ends. If the determination is negative, the recording/playbackdevice 2300 goes back to step S2406 and reads the remaining data.

The above recording/playback device 2300 has a structure capable ofselectively using an encryption/decryption-key generating key (cognizantkey) for the cognizant mode and an encryption/decryption-key generatingkey (non-cognizant key) for the non-cognizant mode, as shown in FIG. 31.As shown in FIGS. 29 and 30, in a recording/playback device that storesonly one of the keys, that is, the cognizant key or the non-cognizantkey, only the recording mode corresponding to the stored key of eithermode is executed, and a content-decrypting block key is generated basedon the stored key.

Processing Configuration Using Media Key Effective Only in RecordingMedium

In the above embodiment, an enabling key block is used to transmit amaster key to each recording/playback device. The recording/playbackdevice uses the master key to record and play back data.

A master key is a key that is effective in the entire record of data atthe point thereof. A recording/playback device that has obtained amaster key at a point is allowed to decrypt data recorded at the pointand data recorded in system prior to the point. However, from theproperty of the master key in which it is effective in the entirety ofthe system, a defect occurs in that the exposure of the master keyaffects the entirety of the system.

By setting a key transmitted using an enabling key block of a recordingmedium so that it is used not as a master key effective in the entiresystem but as a media key effective in only the recording medium, theinfluence of exposure of the key can be suppressed. A method that usinga media key instead of a master key is described below as a secondembodiment of the present invention. Differences from the above firstembodiment are described.

Similarly to FIG. 13, FIG. 35 shows that after device 0 generatesupdating node key K(t)00 by using an enabling key block at a point twhich is recorded on the recording medium, and leaf key K0000 and nodekeys K000 and K00 which are stored in device 0, device 0 uses node keyK(t)00 to obtain updating media key K(t)_(media). The obtained updatingmedia key K(t)_(media) is used when performing data recording on therecording medium and playback of the data.

In FIG. 35, the pre-recording generation number is not essential becauseconcerning the media key, there is no concept of old and newgenerations, differently from the master key.

When a recording medium is loaded into each recording/playback devicefor data recording or playback, the recording/playback device calculatesmedia key K(t)_(media) for the recording medium in accordance with theflowchart shown in FIG. 36, and uses the updating media key K(t)_(media)to access the recording medium.

The reading of an enabling key block in step S2801 and the processing ofthe enabling key block in step S2802 (FIG. 36) are similar to stepsS1403 and S1404 in FIG. 14.

In step S2803, the recording/playback device reads, from the recordingmedium, code Enc(K(t)00, K(t)_(media)) obtained by using node key K(t)00to encode media key K(t)_(media). In step S2804, the recording/playbackdevice obtains the media key by decrypting the read code. If therecording/playback device is revoked from a group in the tree structureshown in FIG. 11, the media key cannot be obtained and recording on therecording medium and playback cannot be performed.

Next, data recording on the recording medium is described. Concerningthe media key, there is no concept of old and new generations,differently from the master key. Thus, determination in the firstembodiment (FIG. 15) of whether or not recording can be performed bycomparing the pre-recording generation information and the generation ofthe master key is not performed, and it is determined that recording ispossible if the media key has been obtained in the above process.Specifically, this is shown in the flowchart shown in FIG. 37. In FIG.37, in step S2901, the process determines whether the media key hasalready been obtained. If the media key has been obtained, a contentrecording process is executed in step S2902.

Data Recording Process Using Media Key Effective in Only RecordingMedium

The content recording process is described below with the block diagramsshown in FIGS. 38 and 39 and with the flowchart shown in FIG. 40.

In the second embodiment, an optical disk is used as an example of arecording medium, similarly to the first embodiment. The firstembodiment is also similar to the second embodiment in that in orderthat data on the recording medium may be prevented from being copied, adisk ID as identification information unique to the recording mediuminfluences a data encrypting key.

FIGS. 38 and 39 correspond to FIGS. 16 and 17 in the first embodiment,and differ in that a media key is used instead of the master key and inthat a recording-mode generation number that represents a master keygeneration is not used. FIG. 38 differs from FIG. 39 in that the writingof the disk ID is executed, similarly to the difference between FIG. 16ad FIG. 17.

FIG. 40 shows the data recording process of the second embodiment whichuses the media key. The flowchart in FIG. 40 corresponds to that in FIG.18 (the first embodiment). The flowchart in FIG. 40 is described below,mainly concerning differences from the first embodiment.

In FIG. 40, in step S3201, a recording/playback device 3000 reads acognizant key and/or a non-cognizant key which are stored in its memory,and the media key K(t)_(media) temporarily stored after being calculatedin step S2804 in FIG. 36. The recording/playback device 300 also reads astamper ID from the disk.

In step S3203, the recording/playback device 3000 determines whether ornot a disk ID has already been recorded as identification information onthe recording medium (optical disk). If the disk ID has already beenrecorded, in step S3203, the recording/playback device 300 reads thedisk ID (in the case of FIG. 38). If the disk ID has not already beenrecorded, in step S3204, a disk ID is generated by using a predeterminedmanner and is recorded on the disk (in the case of FIG. 39). The disk IDcan be stored in a lead-in area or the like because the disk needs tohave one disk ID. In either case, the recording/playback device 3000goes to step S3205.

In step S3205, the media key and the stamper ID which are read in stepS3201 are used to generate a disk unique key. A specific method ofgenerating the disk unique key is identical to that used in the firstembodiment, and the media key may be used instead of the master key.

In step S3206, a key that is unique to each time of recording, namely, atitle key is generated randomly or by a predetermined method, and isrecorded on the disk. Simultaneously, a recording mode activated whenrecording the title (data) is recorded on the disk.

The disk contains a data management file storing information that whichdata forms which title. The title key and the recording mode can bestored in the data management file.

A description of steps S3207 to S3215 is omitted since they are similarto steps S1807 to S1815 in FIG. 18.

In the above description, a disk unique key is generated by using amedia key, a stamper ID, and a disk ID, and a title unique key isgenerated by using the disk unique key, a title key, a cognizant key ora non-cognizant key. However, without using the disk unique key, byusing the media key, the stamper ID, the disk ID, the title key, and thecognizant key or the non-cognizant key, the title unique key may bedirectly generated. Also, without using the title key, by using thestamper ID, the disk ID, and the cognizant key or the non-cognizant key,a key corresponding to the title unique key may be generated.

As described above, data can be recorded on the recording medium byusing the media key.

Data Playback Process Using Media Key Effective in Only Recording Medium

A process for playing back the data recorded as described above isdescribed below with reference to the block diagram shown in FIG. 41 andthe flowchart shown in FIG. 42.

FIG. 41 corresponds to FIG. 31 in the first embodiment, and differs inthat since a media key is used instead of the master key, arecording-mode generation number is omitted.

In FIG. 42, in step S3401, a recording/playback device 3400 reads astamper ID and a disk ID from a disk 3420 as a recording medium, andalso reads a cognizant key and/or a non-cognizant key and the media keytemporarily stored after being calculated in step S2804 in step S36.

When the media key cannot be obtained by performing the process shown inFIG. 36 after loading the recording medium, the playback process is notperformed and terminated.

In step S3402, the title key of data to be read from the disk 3320, anda recording mode stored when recording the data are read.

In step S3403, the recording/playback device 3300 determines whether ornot the data can be played back. The details of step S3403 are shown inFIG. 43.

In step S3501, the recording/playback device 3300 determines whether ornot the media key is obtained. If the media key is not obtained, aplayback is impossible. If the media key is obtained, therecording/playback device 3300 goes to step S3502. Step S3502 is similarto step S2503 in FIG. 33. When the recording/playback device 3300possesses a key corresponding to a recording mode used when recordingthe data (a cognizant key for the cognizant mode or a non-cognizant keyfor the non-cognizant mode), the recording/playback device 3300determines that a playback is possible, and goes to step S3404. When therecording/playback device 3300 possesses the key, it determines that aplayback is impossible, and skips over steps S3404 to S3409 andterminates the process without performing the playback.

A description of steps S3404 to S3409 is omitted since they are similarto steps S2404 to S2409 in FIG. 32.

In the above description, by using a media key, a stamper ID, and a diskID, a disk unique key is generated, and by using the disk unique key, atitle key, a cognizant key or a non-cognizant key, a title unique key isgenerated. However, without using the disk unique key, by using themedia key, the stamper ID, the disk ID, the title key, and the cognizantkey or the non-cognizant key, the title unique key may be directlygenerated. Also, without using the title key, by using the media key,the stamper ID, the disk ID, and the cognizant key or the non-cognizantkey, a key corresponding to the title unique key may be generated.

As described above, data recording on the recording medium and theplayback from the recording medium are executed.

Copy Control in Recording Process

To protect advantages of a content copyrighter, content copying must becontrolled in a licensed device.

Specifically, when a content is recorded on a recording medium, it isrequired that after determining whether the content may be copied, onlya content allowed to be copied be recorded. When a content recorded onthe recording medium is played back and output, it is required thatunauthorized copying of the output content be prevented.

Accordingly, processing by the recording/playback device 100 or 200 inFIG. 1 or 2 in a case in which content recording and playback isperformed while performing the content copy control is described belowwith reference to the flowcharts shown in FIGS. 44A to 45B.

When a digital signal content from the exterior is recorded on therecording medium, the recording process shown in FIG. 44A is performed.This recording process is described using the recording/playback device100 shown in FIG. 1 as an example. When a digital signal content(digital content) is supplied to the input/output I/F 120 via, forexample, an IEEE 1394 serial bus, in step S4001, the input/output I/F120 receives the digital content and goes to step S4002.

In step S4002, the input/output I/F 120 determines whether the receiveddigital content may be copied. Specifically, when the content receivedby the input/output I/F 120 is not encrypted, for example, when aplaintext content is supplied to the input/output I/F 120 without usingthe above-described DTCP, the input/output I/F 120 determines that thereceived content may be copied.

It is assumed that the recording/playback device 100 is a device basedon the DTCP which executes the process in accordance with the DTCP. TheDTCP defines 2-bit Encryption Mode Indicator as copy control informationfor controlling copying. When the Encryption Mode Indicator is “00B”where B indicates that the adjacent value is a binary number, thecontent is of “Copy-freely” type. When the Encryption Mode Indicator is“01B”, the content is of a “No-more-copies” type in which the contentmay not be more copied. When the Encryption Mode Indicator is “10B”, thecontent is “Copy-one-generation” type in which the copying of thecontent can be performed once. When the Encryption Mode Indicator is“11B”, the content is “Copy-never” type in which copying of the contentis inhibited.

When the signal supplied to the input/output I/F 120 in therecording/playback device 100 includes an Encryption Mode Indicator, andthe Encryption Mode Indicator is of a type among Copy-freely andCopy-one-generation types, the input/output I/F 120 determines that thecontent may be copied. When the Encryption Mode Indicator is of a typeamong No-more-copies and Copy-never types, the input/output I/F 120determines that the content is not allowed to be copied.

In step S4002, if the input/output I/F 120 has determined that thecontent may not be copied, steps S4003 to S4005 are skipped over and therecording process is terminated. Accordingly, in this case, the contentis not recorded on the recording medium 195.

In step S4002, if the input/output I/F 120 has determined that thecontent may be copied, the process goes to step S4003. After that, stepsS4003, S4004, and S4005 are performed which are similar to steps S302,S303, and S304 shown in FIG. 3B. In other words, the addition by the TSprocessing unit 300 of the arrival time stamp to the transport packet,and encryption processing by the cryptosystem unit 150 are executed. Theresultant encrypted content is recorded on the recording medium 195, andthe recording process is terminated.

The Encryption Mode Indicator is included in the digital signal suppliedto the input/output I/F 120, so that when the digital content isrecorded, an Encryption Mode Indicator or information (e.g., embeddedcopy control information in the DTCP, etc.) which represents acopy-control status similarly to the Encryption Mode Indicator are alsorecorded, with the digital content.

In the recording, in general, information which representsCopy-One-Generation type is recorded after being converted intoinformation which represents No-more-copies type so that more copies arenot allowed.

In a recording/playback device of the present invention, copy controlinformation, such as Encryption Mode Indicator and embedded copy controlinformation, is recorded in a form in which it is added to the TSpacket. In other words, 32 bits which include an arrival time stamphaving 24 to 30 bits and copy control information, as shown in examples2 and 3 of FIG. 10, are added to each transport stream (TS) packet, asshown in FIG. 5.

When an analog signal content from the exterior is recorded on therecording medium 195, the recording process shown in FIG. 44B isperformed, which is described below.

When the analog signal content is supplied to the input/output I/F 140,the input/output I/F 140 receives the analog signal content in stepS4011 and goes to step S4012. In step S4012, the analog signal contentdetermines whether the received analog signal content may be copied.

The determination in step S4012 is performed by, for example,determining whether or not the signal received by the input/output I/F140 includes a Macrovision signal or a CGMS-A (Copy GenerationManagement System-Analog) signal. The Macrovision signal is a signalthat becomes noise after being recorded on a VHS videocassette tape.When this is included in the signal received by the input/output I/F140, the input/output I/F 140 determines that the analog content is notallowed to be copied.

The CGMS-A signal is such that a CGMS signal for use in digital signalcopy control is applied to analog signal copy control. The CGMS-A signalrepresents one of Copy-freely type in which the content is allowed to befreely copied, Copy-one-generation type in which the copying of thecontent can be performed only once, and Copy-never type in which copyingof the content is inhibited.

Accordingly, when the CGMS-A signal is included in the signal receivedby the input/output I/F 140 and represents one of the Copy-freely typeand the Copy-one-generation type, it is determined that the analogcontent may be copied. The CGMS-A signal represents the Copy-never type,it is determined that the analog content is not allowed to be copied.

In addition, for example, when the Macrovision signal and the CGMS-Asignal are not included in the received by the input/output I/F 140, itis determined that the analog content may be copied.

In step S4012, if the input/output I/F 140 has determined that theanalog content is not allowed to be copied, it skips over steps S4013 toS4017 and terminates the recording process. Accordingly, in this case,the content is not recorded on the recording medium 195.

In step S4012, if the input/output I/F 140 has determined that theanalog content may be copied, it goes to step S4013. After that, stepsS4013 to S4017 are performed which are similar to steps S322 to S326shown in FIG. 3B, whereby after performing MPEG encoding, TS processing,and encryption processing, the content is recorded on the recordingmedium 195 and the recording ends.

When the analog signal received by the input/output I/F 140 includes theCGMS-A signal, and the analog content is recorded on the recordingmedium 195, the CGMS-A signal is also recorded. The CGMS-A signal isrecorded in the copy control information or the other information shownin FIG. 10. In the recording, in general, information which representsCopy-One-Generation type is recorded after being converted intoinformation which represents No-more-copies type so that more copies arenot allowed. Although in the system, copy control information such asthe Copy-one-generation type is recorded without being converted intothe No-more-copies type, this does not apply to a case in which there isa rule that the copy control information is treated as theNo-more-copies type.

Copy Control in Playback Process

Next, in a case in which the content recorded on the recording medium195 is played back and output as a digital content to the exterior, theplayback process shown in FIG. 45A is performed, which is describedbelow.

First, steps S4101, S4102, and S4103 are performed which are similar tosteps S401, S402, and S403, whereby the encrypted content read from therecording medium 195 is decrypted in the cryptosystem unit 150 and isprocessed by transport stream processing. The processed digital contentis supplied to the input/output I/F 120 via the bus 110.

In step S4104, the input/output I/F 120 determines whether or not thesupplied digital content may not be copied later. In other words, whenthe digital content supplied to the input/output I/F 120 does notinclude an Encryption Mode Indicator or information (copy controlinformation) representing a copy control status, it is determined thatthe content may not be copied later.

When the digital content supplied to the input/output I/F 120 includescopy control information such as Encryption Mode Indicator, accordingly,when copy control information such as Encryption Mode Indicator isrecorded in accordance with the DTCP in content recording, the recordedcopy control information (recorded Encryption Mode Indicator) is ofCopy-freely type, it is determined that the content may not be copiedlater. When copy control information such as Encryption Mode Indicatoris of No-more-copies type, it is determined that the content is notallowed to be later copied.

In general, there is no case in which the recorded copy controlinformation (Encryption Mode Indicator) is of Copy-one-generation typeor Copy-never type. This is because the Copy-one-generation type ofEncryption Mode Indicator is converted to No-more-copies type ofEncryption Mode Indicator when performing recording and because adigital content having Copy-never type of Encryption Mode Indicator isnot recorded on a recording medium.

In step S4104, if the input/output I/F 120 has determined that thedigital content may not be copied later, it goes to step S4105, andoutputs the digital content to the exterior. After that, the playbackprocess ends.

In step S4104, if the input/output I/F 120 has determined that thedigital content may not be copied later, it goes to step S4106. In stepS4106, the input/output I/F 120 outputs the digital content to theexterior in accordance with the DTCP so that the digital content cannotbe later copied. After that, the playback process ends.

In other words, when the recorded copy control information (EncryptionMode Indicator) is of No-more-memories type, or in a case in which thesystem has a rule that Copy-one-generation type of copy controlinformation is recorded without being converted into No-more-memoriestype of copy control information, and copy control information(Encryption Mode Indicator) recorded under the rule is ofCopy-one-generation type, the content may not be more copied.

Accordingly, the input/output I/F 120 performs mutual authenticationwith another device in accordance with the DTCP standard. When thedevice is right (or is based on the DTCP standard), the digital contentis encrypted and output to the exterior.

Next, in a case in which the content recorded on the recording medium isplayed back and output as an analog content to the exterior, theplayback process shown in FIG. 45B is performed, which is describedbelow.

Steps S4111 to S4115 are performed which are similar to steps S421 toS425 shown in FIG. 4B. In other words, the reading of the encryptedcontent, transport stream processing, MPEG decoding, and D/A conversionare executed. The obtained analog content is received by theinput/output I/F 140.

In step S4116, the input/output I/F 140 determines whether or not thesupplied content may be copied. If copy control information such asEncryption Mode Indicator is not recorded with the content, theinput/output I/F 140 determines that the content may be copied.

In a case in which when recording the content, copy control informationsuch as Encryption Mode Indicator is recorded in accordance with theDTCP, and the copy control information is of Copy-freely type, theinput/output I/F 140 determines that the content may not be copiedlater.

When the copy control information is of No-more-copies type, or when inthe system there is, for example, a rule that Copy-one-generation typeof copy control information is recorded without being converted and istreated as No-more-copies type of copy control information, and copycontrol information recorded under the condition is ofCopy-one-generation type, the input/output I/F 140 determines that thecontent may not be copied later.

When the analog content supplied to the input/output I/F 140 includes,for example, a CGMS-A signal, in other words, in a case in which whenrecording the content, the CGMS-A signal is recorded with the content,and the CGMS-A signal represents Copy-freely type, it is determined thatthe analog content may not be copied later. If the CGMS-A signalrepresents Copy-never type, it is determined that the analog content maynot be copied later.

In step S4116, if the input/output I/F 140 has determined that theanalog content may not be copied later, it goes to step S4117. In stepS4117, the input/output I/F 140 outputs the supplied analog signal tothe exterior and terminates the playback process.

In step S4116, if the input/output I/F 140 has determined that thecontent may not be copied later, it goes to step S4118. In step S4118,the input/output I/F 140 outputs the analog content to the exterior in aform in which the analog content cannot be later copied, and theplayback process ends.

For example, when the recorded copy control information is ofNo-more-copies type, as described above, or in a case in which in thesystem there is a rule that Copy-one-generation type of copy controlinformation is recorded without being converted and is treated asNo-more-copies type, and copy control information recorded under thecondition is Copy-one-generation type, the content may not be morecopied.

Therefore, after adding, for example, a Macrovision signal or a CGMS-Asignal representing Copy-never type to the analog content, theinput/output I/F 140 outputs the obtained content to the exterior. Alsowhen the recorded CGMS-A signal represents Copy-never type, the contentmay not be more copied. Accordingly, after changing the CGMS-A signal torepresent Copy-never type, the input/output I/F 140 outputs the changedCGMS-A signal to the exterior, with the analog content.

As described above, by recording or playing back a content whileperforming content-copy control, copying (unauthorized copying) beyondthe allowable range of the content can be prevented.

Structure of Data Processing Unit

The above successive processes can be performed not only by hardware butalso by software. For example, although the cryptosystem unit 150 can beformed by an encryption/decryption LSI, processing by the cryptosystemunit 150 can be executed such that a general-purpose computer or asingle-chip microcomputer executes programs. Similarly, processing bythe TS processing unit 300 can be also performed by software. Whensoftware is used to perform successive processes, programs constitutingthe software are installed in a device such as a general-purposecomputer or a single-chip microcomputer. FIG. 46 shows an example of acomputer in which programs for executing the successive processes areinstalled.

The programs can be recorded beforehand on a hard disk 4205 or aread-only memory (ROM) 4203 as a recording medium which is built intothe computer. Alternatively, the programs can be temporarily oreternally stored (recorded) in a removable recording medium 4210 such asa floppy disk, a CD-ROM, a magneto-optical disk, a digital versatiledisk, a magnetic disk, or a semiconductor memory. The removablerecording medium 4210 can be provided in the form of so-called “packagesoftware”.

In addition to the installation of the programs from the removalrecording medium 4210 in the computer, after transmitting the programsfrom a download site to the computer by radio via a satellite fordigital satellite broadcasting or by wire via a network such as theInternet, the transmitted programs are received in a communication unit4208 and can be installed in the hard disk 4205 in the computer.

The computer includes a CPU 4202. An input/output interface 4211 isconnected to the CPU 4202 via a bus 4201. When a command is input by auser operating an input unit 4207 having a keyboard and a mouse, the CPU4202 executes a program stored in a ROM 4203 in accordance with theinput command.

Also, the program stored in the hard disk 4205, the program installed inthe hard disk 4205 after being transmitted via a satellite or a networkand received by the communication unit 4208, or the program installed inthe hard disk 4205 after being read from the removal recording medium4210 is loaded and executed in the CPU 4202.

This allows the CPU 4202 to perform the above processes in accordancewith the above flowcharts or the processes performed by the blockdiagrams. The CPU 4202 outputs the obtained results from an output unit4206 having a liquid crystal display, a speaker, etc., transmits themfrom the communication unit 4208, and records them on the hard disk4205, as required.

Here, in this Specification, processing steps that describe each programfor controlling the computer to perform various types of processing donot always need to be time-sequentially performed along the order inflowchart form, and include processes (e.g., parallel processes orobject-based processes) which are executed in parallel or separately.

Each program may be executed either by a single computer or by aplurality of computers. Each program may be executed after beingtransferred to a remote computer.

In the second embodiment a case in which a content encryption/decryptionblock is formed by a single-chip encryption/decryption LSI has beenmainly described. However, the content encryption/decryption block canbe implemented as a software module executed by the CPU 170 in FIG. 1 or2. Similarly, also processing by the TS processing unit 300 can beimplemented as a software module executed by the CPU 170.

Apparatus and Method for Producing Recording Medium

Next, an apparatus and method according to the present invention thatproduce the above information recording medium are described below.

FIG. 47 shows a schematic structure of a disk production apparatus 4300which produces a recording medium 4350 and records a disk ID, anenabling key block, and an encrypted master key or an encrypted mediakey on a recording medium.

In the disk production apparatus 4300, a disk ID, an enabling key block,and an encrypted master key or an encrypted media key are recorded on arecording medium 4350 which has already been assembled, with theabove-described secret information. Also, pre-recording generationinformation of the master key is recorded, as required.

The disk production apparatus 4300 includes a memory 4302, or anotherstorage unit, which contains disk IDs, enabling key blocks, andencrypted master keys or encrypted media keys, a recording medium I/F4303 that performs reading/writing from/to the recording medium 4350, aninput/output I/F 4304 as an interface with another apparatus, a controlunit 4301 for controlling the above units, and a bus 4305 forestablishing connection.

Although FIG. 47 shows the structure in which the memory 4302 and therecording medium I/F 4304 are included in the disk production apparatus4300, they may be externally provided.

The disk ID, the enabling key block, and the encrypted master key or theencrypted media key, the secret information such as stamper ID, and thepre-recording generation information of master key are issued by anidentifier management department, a key issuing center, etc., which arenot shown, and are stored beforehand in the internal or external memory4302.

The disk ID, the enabling key block, and the encrypted master key or theencrypted media key, the secret information, the pre-recordinggeneration information of master key, which are stored in the memory4302, are recorded on the recording medium 4350 via the recording mediumI/F 4303 under control of the control unit 4301. The pre-recordinggeneration information of master key is also recorded, as required.

The secret information is data generated by a secret informationgenerator having the construction described in the Writing and Playbackof Secret Information section, which are shown in, for example, FIGS. 25and 27. In accordance with the controller, data conversion of the secretinformation is performed, and the resultant converted data is written onthe recording medium 4350.

Concerning the disk ID, the enabling key block, and the encrypted masterkey or the encrypted media key, the secret information such as stamperID, and the pre-recording generation information of master key, not onlythose stored in the memory 4302, but also those sent from the keyissuing center via the input/output I/F 4304 can be used.

FIG. 48 shows a production flow in a recording medium production methodaccording to the present invention in which in the production of arecording medium, the disk ID, the enabling key block, and the encryptedmaster key or the encrypted media key, the secret information, and thepre-recording generation information of master key are recorded on arecording medium.

Referring to FIG. 48, in step S4401, a known assembly process (notshown) is used to assemble a recording medium such as a DVD or a Citeddocument.

In step S4402, the recording medium production apparatus shown in FIG.47 executes processing of recording, on the assembled recording medium,a disk ID, a stamper ID as secret information, an enabling key block,and an encrypted master key or an encrypted media key. Pre-recordinggeneration information is also recorded, as required.

By using the above disk production process, the recording medium isshipped from a production factory in the form of containing the disk ID,the stamper ID as secret information, the enabling key block, theencrypted master key or the encrypted media key. Also, the recordingmedium is shipped from the production factory after the pre-recordinggeneration number is recorded on the recording medium, as required.

The recorded secret information is not limited to the stamper ID. A diskID set for each disk, a content ID for each content, a cryptographickey, various types of identification data, and an encryption key may berecorded as the secret information. A recording/playback device of thepresent invention uses the various types of secret information togenerate a content-encryption key.

Format of Enabling Key Block

FIG. 49 shows an example of a format of the enabling key block. In FIG.49, a version 4501 is an identifier indicating the version of anenabling key block. A depth 4502 indicates a hierarchical-tree levelnumber of a device to which the enabling key block is distributed. Adata pointer 4503 indicates the position of a data part in the enablingkey block. A tag pointer 4504 indicates the position of a tag part inthe enabling key block. A signature 4508 indicates the position of asignature in the enabling key block. A data part 4506 stores, forexample, data generated by encrypting a node key to be updated.

The tag part 4507 indicates the positional relationship of the encryptednode keys and leaf key which are stored in the data part 4506. A rule ofproviding the tag is described with reference to FIG. 50. FIG. 50 showsan example of sending, as data, the enabling key block described usingFIG. 12A. The data is as shown in the table of the right portion (b) ofFIG. 50. The address of a top node included in an encryption key in thiscase is used as a top node address. As shown in the table, the top nodeaddress is KR because updating key K(t)R of root key is included.

Top encryption-key data Enc(K(t)0, K(t)R) corresponds to a denotedposition in the hierarchical tree of the left portion (a) of FIG. 50.Next data is represented by Enc(K(t)0, K(t)0) and corresponds to a lowerleft position from the previous data. The presence of data is indicatedby a tag value of “0”, while the absence of data is indicated by a tagvalue of “1”. Each tag is set as {left (L) tag, right (R) tag}. Sincethe left of top encryption-key data Enc(K(t)0, K(t)R) has data, L tag=0.Since the right of top encryption-key data Enc(K(t)0, K(t)R) has nodata, R tag=1. Tags are set for all of data, so that a data string and atag string are formed, as shown in the bottom portion (c) of FIG. 50.

Concerning the order of node processing in the tree, it is preferable touse one of breadth first processing in which widthwise processing at thesame level is first performed, and depth first processing in whichdepthwise processing is first performed.

Referring back to FIG. 49, the format of the enabling key block isfurther described below.

The signature is a digital signature performed by an authority thatissues the enabling key block, such as key-management center, contentprovider, settlement authority. A device that receives the enabling keyblock uses signature verification to verify that the received enablingkey block is issued by a right enabling key block issuer.

With reference to specified embodiments, the present invention has beendescribed. However, it is obvious that a person skilled in the art willmake a modification or substitution of the embodiments without departingthe spirit of the present invention. For example, as described above,the foregoing embodiments describe a case in which a stamper ID is usedas the secret information required for writing of data to be stored on adisk and playback processing. However, the secret information is notlimited to the stamper ID, but may be a disk ID differently set for eachdisk, a content ID set for each content, a cryptosystem key, variousidentification data, and an encryption key. In the foregoingembodiments, the present invention has been exemplified and should notbe limitedly interpreted. To determine the spirit of the presentinvention, the appended claims should be considered.

1. An information recording device for recording information on arecording medium, comprising: cryptosystem means for executingencryption processing on data to be stored on said recording medium; andsecret-information decoding means for reading secret information storedon said recording medium by executing a special data-reading processwhich is different from a process of reading content data stored on saidrecording medium; wherein said cryptosystem means generates acontent-encryption key by using, as a key-generating data, the secretinformation which is decoded after being read from said recordingmedium, and executes, based on the content-encryption key, theencryption processing on the data to be stored.
 2. An informationrecording device according to claim 1, wherein: the secret informationincludes a type of data among a stamper ID which is stored on saidrecording medium when said recording medium is produced and which iscommon to a plurality of recording media, a disk ID which is unique toeach of the recording media, a content ID which is differently set foreach content, and a cryptosystem key; and said secret-informationdecoding means executes a decoding process on the read data.
 3. Aninformation recording device according to claim 1, wherein saidcryptosystem means uses the read secret information to generate thecontent-encryption key, and the read secret information is allowed to beused only in the generation of the content-encryption key which isexecuted in said cryptosystem means, without being stored in storagemeans which is readable from the outside of said information recordingdevice.
 4. An information recording device according to claim 1,wherein: said information recording device possesses node keys which areunique to nodes constituting a hierarchical tree structure having aplurality of different information recording devices as leaves; saidcryptosystem means generates the content-encryption key based on theread secret information and encryption-key-generating data which isstored in said information recording device; and theencryption-key-generating data can be updated by using an enabling keyblock generated such that a node key is encrypted by using a keyincluding at least one of a node key and a leaf key which are positionedat a lower level.
 5. An information recording device according to claim4, wherein the encryption-key-generating data is one of a master keycommon to a plurality of information recording devices and a media keyunique to a specified recording medium.
 6. An information recordingdevice according to claim 4, wherein: the encryption-key-generating datacorresponds to a generation number as updating information; and whenstoring encrypted data on said recording medium, said cryptosystem meansstores on said recording medium the generation number of theencryption-key-generating data as a recording-mode generation number. 7.An information recording device according to claim 4, further comprisingtransport-stream processing means for adding an arrival time stamp toeach of transport packets constituting a transport stream; saidcryptosystem means generates a block key as an encrypted key for blockdata composed of at least one transport packet to which the arrival timestamp is added; and in encryption of the data to be stored on saidrecording medium, said cryptosystem means generates a block key as anencryption key based on data including the secret information, theencryption-key-generating data, and a block seed as additionalinformation which includes the arrival time stamp and which is unique tothe block data.
 8. An information recording device according to claim 1,wherein: said secret-information decoding means is structured to executedecoding processing on data which is stored on said recording medium byusing a binary sequence to disturb a string of bits constituting thesecret information; and said secret-information decoding means executesdecoding processing of the secret information by generating the binarysequence and executing arithmetic processing using the generated binarysequence and a playback signal from said recording medium.
 9. Aninformation recording device according to claim 1, wherein saidsecret-information decoding means reads, from said recording medium,data which is recorded in a form converted in a predetermined mannerfrom the secret information in units of a plurality of bits constitutingthe secret information, and executes decoding processing on the secretinformation by converting the read data again. 10-18. (canceled)
 19. Aninformation recording method for recording information on a recordingmedium, said information recording method comprising: asecret-information decoding step which reads secret information storedon said recording medium by executing a special data-reading processwhich is different from a process of reading content data stored on saidrecording medium; and a cryptosystem step which generates acontent-encryption key by using, as a key-generating data, the secretinformation which is decoded after being read from said recording mediumin said secret-information decoding step, and executes, based on thecontent-encryption key, the encryption processing on the data to bestored.
 20. An information recording method according to claim 19,wherein: the secret information includes a type of data among a stamperID which is stored on said recording medium when said recording mediumis produced and which is common to a plurality of recording media, adisk ID which is unique to each of the recording media, a content IDwhich is differently set for each content, and a cryptosystem key; andsaid secret-information decoding means executes a decoding process onthe read data.
 21. An information recording method according to claim19, wherein said cryptosystem step includes a step which uses the readsecret information to generate the content-encryption key, and the readsecret information is allowed to be used only in the generation of thecontent-encryption key which is executed in said cryptosystem step,without being stored in storage means which is readable from the outsideof said information recording device.
 22. An information recordingmethod according to claim 19, wherein: said cryptosystem step includes astep which generates the content-encryption key based on the read secretinformation and encryption-key-generating data which is stored in saidinformation recording device; and the encryption-key-generating data canbe updated by an enabling key block generated such that in ahierarchical tree structure having a plurality of different informationrecording devices as leaves, branches as nodes, and unique keys set forsaid leaves and said nodes, a node key is encrypted by using a keyincluding at least one of a node key and a leaf key which are positionedat a lower level.
 23. An information recording method according to claim22, wherein the encryption-key-generating data is one of a master keycommon to a plurality of information recording devices and a media keyunique to a specified recording medium.
 24. An information recordingmethod according to claim 22, wherein: the encryption-key-generatingdata corresponds to a generation number as updating information; andwhen storing encrypted data on said recording medium, said cryptosystemstep stores on said recording medium the generation number of theencryption-key-generating data as a recording-mode generation number.25. An information recording method according to claim 22, furthercomprising a transport-stream processing step for adding an arrival timestamp to each of transport packets constituting a transport stream; saidcryptosystem step includes a step which generates a block key as anencrypted key for block data composed of at least one transport packetto which the arrival time stamp is added; and in encryption of the datato be stored on said recording medium, said cryptosystem step generatesa block key as an encryption key based on data including the secretinformation, the encryption-key-generating data, and a block seed asadditional information which includes the arrival time stamp and whichis unique to the block data.
 26. An information recording methodaccording to claim 19, wherein: said secret-information decoding stepincludes a step which executes decoding processing on data which isstored on said recording medium by using a binary sequence to disturb astring of bits constituting the secret information; and saidsecret-information decoding step executes decoding processing of thesecret information by generating the binary sequence and executingarithmetic processing using the generated binary sequence and a playbacksignal from said recording medium.
 27. An information recording methodaccording to claim 19, wherein said secret-information decoding stepreads, from said recording medium, data which is recorded in a formconverted in a predetermined manner from the secret information in unitsof a plurality of bits constituting the secret information, and executesdecoding processing on the secret information by converting the readdata again. 28-36. (canceled)
 37. An information recording mediumcontaining: secret information which can be played back only byexecuting a special data-reading process different from an ordinarydata-reading process; and an encrypted content which can be decrypted byusing a cryptosystem key which can be generated by using said secretinformation.
 38. An information recording medium according to claim 37,wherein said secret information includes a type of data among a stamperID common to a plurality of recording media, a disk ID which is uniqueto each of the recording media, a content ID which is differently setfor each content, and a cryptosystem key.
 39. A program providing mediumfor providing a computer program which controls a computer system toexecute information-recording processing for recording information on arecording medium, said computer program comprising: a secret-informationdecoding step which reads secret information stored on said recordingmedium by executing a special data-reading process which is differentfrom a process of reading content data stored on said recording medium;and a cryptosystem step which generates a content-encryption key byusing, as a key-generating data, the secret information which is decodedafter being read from said recording medium in said secret-informationdecoding step, and executes, based on the content-encryption key, theencryption processing on the data to be stored.
 40. A program providingmedium for providing a computer program which controls a computer systemto execute information-playback processing for playing back informationstored on a recording medium, said computer program comprising: asecret-information decoding step which reads secret information storedon said recording medium by executing a special data-reading processwhich is different from a process of reading content data stored on saidrecording medium; and a decryption step which generates acontent-decryption key by using, as a key-generating data, the secretinformation which is decoded after being read from said recording mediumin said secret-information decoding step, and executes, based on thecontent-decryption key, the decryption processing on the read data.